250641
CVEs Published
16043
CVEs Published in 2024
30949
CVEs Published last year (2023)
Common Vulnerabilities and Exposures (CVE)
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.
CVE.orgCommon Weakness Enumeration (CWE)
The Common Weakness Enumeration (CWE) is a category system for software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and creating automated tools that can be used to identify, fix, and prevent those flaws.
CWE at Mitre.orgWeakness Trend
Common Weaknesses
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
CVSS at FIRST.orgCVSS Severity
CVSS Severity - By Year
CVSS Base Score
CVSS Base Metrics
Access Vector (AV)
The access vector (AV) shows how a vulnerability may be exploited.
Access Complexity (AC)
The access complexity (AC) metric describes how easy or difficult it is to exploit the discovered vulnerability.
Authentication (Au)
The authentication (Au) metric describes the number of times that an attacker must authenticate to a target to exploit it. It does not include (for example) authentication to a network in order to gain access. For locally exploitable vulnerabilities, this value should only be set to Single or Multiple if further authentication is required after initial access.
Attack Vector (AV)
This metric reflects the context by which vulnerability exploitation is possible.
Attack Complexity (AC)
This metric depicts the situations that are not under the attackers control and are required to exploit vulnerability.
Privileges Required (PR)
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
User Interaction (UI)
This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise the vulnerable component.
Scope (S)
This metric is a determination on whether a vulnerability in one system or component can have carry over impact on another system or component.
CVSS Impact Metrics
Confidentiality (C)
The confidentiality (C) metric describes the impact on the confidentiality of data processed by the system.
Integrity (I)
The Integrity (I) metric describes the impact on the integrity of the exploited system.
Availability (A)
The availability (A) metric describes the impact on the availability of the target system. Attacks that consume network bandwidth, processor cycles, memory or any other resources affect the availability of a system.
Confidentiality (C)
This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity (I)
This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.
Availability (A)
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.
Exploit Prediction Scoring System (EPSS)
The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. Our goal is to assist network defenders to better prioritize vulnerability remediation efforts. While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threat. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS at FIRST.org