What is a CVE ID?

Giulio Saggin

A CVE ID is a 'CVE identifier', the number given to a vulnerability that includes the CVE prefix + year + sequence number (CVE-YYYY-NNNNN) e.g. CVE-2019-10766.

The sequence number at the end of the CVE ID can vary from four to seven digits. When CVE IDs were first published in 1999, the numbering sequence only allowed for a maximum of 9,999 'unique identifiers' each year. As the number of reported vulnerabilities exceeded 9,999 per year, the sequence number needed to increase accordingly and five-digit numbers were first used in January 2015 (the now-defunct Distributed Weakness Filing [DWF] CNA started assigning seven-digit CVE IDs in May, 2016).

The year that appears in the CVE ID indicates the year the vulnerability was made public and/or assigned, and not just the year it was discovered (unless it is the same year as the CVE ID is assigned).

SecAlerts doesn't assign CVE IDs but we do alert you to CVEs as soon as they are published (sometimes vendors delay releasing CVEs) so you can keep your software updated. Enter your software stack and receive a free weekly report with a round-up of CVEs (& security news) unique to your stack: www.secalerts.co

Signup for vulnerability alerts

SecAlerts Pty Ltd.
Fortitude Valley,
QLD 4006, Australia
© Copyright 2023 - ABN: 70 645 966 203, ACN: 645 966 203