CVEium
Sign Up

Understanding Vulnerabilities

Read and interpret vulnerability details including CVE IDs, severity scores, CVSS, EPSS, and KEV status.

Each vulnerability discovered during scanning comes with detailed metadata to help you assess its impact and prioritize remediation.

CVE identifier

Every vulnerability has a CVE ID (e.g., CVE-2024-1234) assigned by the CVE Program. This is the unique, globally recognized identifier for the vulnerability.

Severity

Vulnerabilities are classified into four severity levels:

  • Critical: CVSS score 9.0-10.0. Requires immediate attention.
  • High: CVSS score 7.0-8.9. Should be addressed promptly.
  • Medium: CVSS score 4.0-6.9. Should be scheduled for remediation.
  • Low: CVSS score 0.1-3.9. Address as resources allow.

CVSS scores

The Common Vulnerability Scoring System (CVSS) provides a numerical severity rating:

  • CVSS v4: The latest version, providing more granular assessment. Displayed with a "v4" label when available.
  • CVSS v3: The most widely used version. Includes a base score and vector string describing the attack characteristics.
  • CVSS v2: Legacy scoring system, available for older vulnerabilities.

CVEium displays the most recent CVSS version available for each vulnerability, preferring v4 over v3 over v2.

EPSS (Exploit Prediction Scoring System)

EPSS provides a probability score (0.0 to 1.0) estimating the likelihood that a vulnerability will be exploited in the wild within the next 30 days. A higher EPSS score means exploitation is more likely.

The EPSS percentile indicates how the vulnerability compares to all other known vulnerabilities. For example, a 95th percentile means the vulnerability has a higher exploitation probability than 95% of all known CVEs.

KEV (Known Exploited Vulnerabilities)

Vulnerabilities flagged as KEV are listed in CISA's Known Exploited Vulnerabilities catalog. These are vulnerabilities with confirmed active exploitation in the wild.

KEV vulnerabilities are:

  • Highlighted with a red KEV badge in the vulnerability table
  • Sorted to the top of the list for priority attention
  • Counted separately in the triage statistics
  • Subject to the most urgent SLA deadlines

Under CISA Binding Operational Directive 22-01, US federal agencies must remediate KEV vulnerabilities within strict timelines.

Additional fields

  • CWE (Common Weakness Enumeration): The category of software weakness (e.g., CWE-79 for Cross-Site Scripting)
  • Affected component: The specific SBOM component that matched the vulnerability
  • Reference URLs: Links to advisories, patches, and detailed descriptions
  • Published date: When the CVE was first published
  • Last modified date: When the CVE record was last updated
  • Source: The data source (typically NVD) with a link to the full record