Frequently Asked Questions

What is a Vulnerability ID?

A Vulnerability ID is a unique identifier assigned to a specific security vulnerability. The most common format is CVE (Common Vulnerabilities and Exposures) IDs, which follow the pattern CVE-YYYY-NNNNN (e.g., CVE-2024-27305). These IDs are assigned by CVE Numbering Authorities (CNAs) and provide a standardized way to reference and track vulnerabilities across different systems and databases.

Example: CVE-2024-27305 refers to a specific vulnerability discovered in 2024.

What are Vulnerability Aliases?

Vulnerability aliases are alternative identifiers for the same vulnerability. Different organizations and databases may assign their own IDs to the same security issue before a CVE is assigned, or they may use their own naming conventions. Common alias types include:

  • GHSA-*: GitHub Security Advisories (e.g., GHSA-pr2m-px7j-xg65)
  • PYSEC-*: Python Security advisories (e.g., PYSEC-2024-221)
  • RUSTSEC-*: Rust Security advisories
  • GO-*: Go Security advisories
  • DSA-*: Debian Security Advisories

Note: You can access vulnerability pages using any of its aliases. For example, both CVE-2024-27305 and GHSA-pr2m-px7j-xg65 will show the same vulnerability.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) provides a standardized method for rating the severity of security vulnerabilities. CVSS scores range from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities. The system has evolved through several versions (2.0, 3.0, 3.1, 4.0), with each version refining the scoring methodology.

Severity Ratings:

  • 0.0 None
  • 0.1-3.9 Low
  • 4.0-6.9 Medium
  • 7.0-8.9 High
  • 9.0-10.0 Critical

Key Metrics:

  • Base Score: Intrinsic vulnerability characteristics
  • Exploitability: How easy it is to exploit
  • Impact: Consequences of successful exploitation
Learn more about CVSS

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model designed to estimate the likelihood of a software vulnerability being exploited in the wild within the next 30 days. Unlike CVSS which measures the severity and impact of a vulnerability, EPSS focuses on the probability of exploitation based on threat intelligence, exploit availability, and other factors.

EPSS Score: Ranges from 0 to 1 (0% to 100% probability)

EPSS Percentile: Shows how this vulnerability ranks compared to all others

EPSS Severity Bands: We classify raw scores into bands for easier triage: Critical ≥ 0.50, High ≥ 0.20, Medium ≥ 0.05, Low ≥ 0.01, Info < 0.01. These cutoffs roughly align with top ~1%, next few %, top ~10%, and top ~25–30% of scores so categories remain meaningful.

Learn more about EPSS

What are Related Vulnerabilities?

Related vulnerabilities are other security issues that have some connection to the current vulnerability. These relationships help security professionals understand the broader context and potential impact chains. Common relationship types include:

  • Duplicate: Multiple reports of the same vulnerability
  • Similar: Vulnerabilities with similar root causes or attack vectors
  • Prerequisite: Vulnerabilities that must be exploited before this one
  • Consequence: Vulnerabilities that can be exploited as a result of this one
  • Variant: Different manifestations of the same underlying issue

What is CISA?

The Cybersecurity and Infrastructure Security Agency (CISA) is a United States federal agency that maintains the Known Exploited Vulnerabilities (KEV) catalog. CISA identifies vulnerabilities that are actively being exploited in the wild and provides binding operational directives for federal agencies to patch these vulnerabilities within specific timeframes.

KEV Catalog: Contains vulnerabilities with evidence of active exploitation

Due Date: Federal agencies must remediate by the specified date

Required Action: Specific steps agencies must take (usually "Apply updates")

Known Ransomware: CISA flags vulnerabilities that are known to be used by ransomware actors, indicating particularly high-priority threats that should be addressed immediately

View CISA KEV Catalog

What are Exploits?

Exploits are pieces of code, commands, or techniques that take advantage of vulnerabilities to compromise systems, steal data, or gain unauthorized access. The existence of public exploits significantly increases the risk associated with a vulnerability, as attackers can use these ready-made tools.

Exploit Sources:

  • Exploit-DB: Public exploit database
  • Metasploit: Penetration testing framework
  • GitHub: Proof-of-concept exploits
  • Security Research: Academic and researcher publications

Exploit Types:

  • PoC: Proof of Concept demonstrations
  • Weaponized: Ready-to-use attack tools
  • In-the-wild: Actively used by attackers
  • Theoretical: Conceptual attack methods

Risk Impact: Vulnerabilities with public exploits should be prioritized for patching, as they pose immediate and practical threats to your systems.

What are Affected Packages?

Affected packages refer to specific software packages, libraries, or components that contain a vulnerability. Package information helps developers and system administrators identify exactly which dependencies in their projects are vulnerable and need to be updated.

Package Ecosystems:

  • npm: Node.js packages
  • PyPI: Python packages
  • RubyGems: Ruby packages
  • Maven: Java packages
  • Go: Go modules

Package Information:

  • Name: Package identifier
  • PURL: Package URL for universal identification
  • Versions: Specific vulnerable versions
  • Ranges: Version ranges affected
  • Fix: Version where vulnerability is resolved

What is Package URL (PURL)?

Package URL (PURL) is a standardized format for identifying and locating software packages across different ecosystems and repositories. It provides a universal way to reference packages regardless of their source or package manager, making vulnerability tracking and dependency management more consistent.

Format: pkg:type/namespace/name@version?qualifiers#subpath

Examples:

pkg:npm/lodash@4.17.20

pkg:pypi/django@3.2.5

pkg:maven/org.apache.commons/commons-lang3@3.12.0

pkg:gem/rails@7.0.4

PURL Components:

  • type: Package manager (npm, pypi, maven)
  • namespace: Package namespace or organization
  • name: Package name
  • version: Package version
  • qualifiers: Additional attributes

Benefits:

  • Universal: Works across all package ecosystems
  • Precise: Unambiguously identifies packages
  • Automation: Enables automated vulnerability scanning
  • Integration: Standard format for security tools
View PURL Specification

What are CWE (Common Weakness Enumeration)?

Common Weakness Enumeration (CWE) is a community-developed list of common software and hardware weakness types. CWEs categorize the root causes of vulnerabilities, helping developers and security professionals understand what went wrong and how to prevent similar issues.

Example: CWE-79 (Cross-site Scripting) describes vulnerabilities where user input is improperly validated, allowing attackers to inject malicious scripts.

Browse CWE database

What are CPE (Common Platform Enumeration)?

Common Platform Enumeration (CPE) is a standardized method for describing and identifying classes of applications, operating systems, and hardware devices. CPE names help specify exactly which systems are affected by a vulnerability.

Format: cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other

Example: cpe:2.3:a:apache:http_server:2.4.41:*:*:*:*:*:*:* (Apache HTTP Server version 2.4.41)

© 2025 CveMate. All rights reserved.v0.1.3