Plain-English definitions of the acronyms and terms used throughout ThreatLens. New to vulnerability intelligence? Start with CVE, CVSS, and KEV.
Naming schemes that uniquely label vulnerabilities and products.
Common Platform Enumeration
A standardized name for a piece of software, hardware, or OS.
CPE strings like cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:* let tools precisely match a CVE to the affected product and version, instead of relying on fuzzy product names.
nvd.nist.gov/products/cpeCommon Vulnerabilities and Exposures
A unique ID for a publicly disclosed security flaw.
Every known vulnerability gets a CVE ID like CVE-2024-12345. It's the universal reference used by vendors, researchers, and security tools to talk about the same bug.
cve.orgSystems that quantify severity or exploitation likelihood.
Common Vulnerability Scoring System
A 0–10 score representing how severe a vulnerability is.
CVSS combines factors like attack vector, complexity, required privileges, and impact on confidentiality/integrity/availability into a single base score. 9.0+ is Critical, 7.0–8.9 High, 4.0–6.9 Medium, 0.1–3.9 Low.
first.org/cvssExploit Prediction Scoring System
A 0–100% probability that a CVE will be exploited in the next 30 days.
EPSS is a data-driven model from FIRST.org that helps prioritize patching. A high CVSS score means a bug is bad if exploited; a high EPSS score means it's likely to actually be exploited soon.
first.org/epssCurated databases and lists maintained by official bodies.
Common Weakness Enumeration
A catalog of weakness types (the 'how' behind a CVE).
While CVE identifies a specific bug, CWE describes the underlying class of weakness — for example CWE-79 (Cross-Site Scripting) or CWE-89 (SQL Injection). One CWE can be the root cause of thousands of CVEs.
cwe.mitre.orgKnown Exploited Vulnerabilities
CISA's list of CVEs confirmed to be actively exploited in the wild.
If a vulnerability is on the KEV catalog, attackers are using it right now. U.S. federal agencies are required to patch KEV entries on a deadline, and it's the highest-priority list for any defender.
cisa.gov/known-exploited-vulnerabilities-catalogNational Vulnerability Database
The U.S. government's enriched database of CVE records.
Run by NIST, the NVD takes CVE entries and adds CVSS scores, CWE mappings, CPE product matches, and references. It's the primary upstream feed for most vulnerability tools.
nvd.nist.govAgencies and authorities that publish vulnerability data.
Cybersecurity and Infrastructure Security Agency
U.S. federal agency that publishes KEV and security advisories.
CISA is part of the Department of Homeland Security and acts as the operational lead for federal cybersecurity. They maintain the KEV catalog, issue alerts, and coordinate response to major incidents.
cisa.govCVE Numbering Authority
An organization authorized to assign CVE IDs.
Vendors like Microsoft, Red Hat, and Google are CNAs for their own products, meaning they can reserve and publish CVE IDs directly. MITRE acts as the root CNA for everything else.
cve.org/PartnerInformation/ListofPartnersNational Institute of Standards and Technology
U.S. agency that operates the NVD.
NIST publishes cybersecurity standards (like the NIST Cybersecurity Framework) and runs the NVD, which enriches CVE data with scoring and product information.
nist.govCommon attack techniques and security terminology.
Zero-day vulnerability
A vulnerability being exploited before a patch is available.
The 'zero' refers to how many days defenders have had to fix it. 0-days are especially dangerous because there's no official remediation when exploitation begins.
Proof of Concept
Demonstration code or steps showing a vulnerability is real.
A PoC proves the bug is exploitable but isn't necessarily a weaponized attack. Public PoCs dramatically increase the risk that a CVE will be widely exploited.
Remote Code Execution
An attacker can run arbitrary code on a target system over the network.
RCE is one of the most severe vulnerability classes — it typically leads to full system compromise without needing physical access or prior credentials.
SQL Injection
Injecting database commands through user input.
If an app concatenates user input directly into SQL queries, an attacker can read, modify, or delete arbitrary data — and sometimes execute commands on the database server itself.
Server-Side Request Forgery
An attacker tricks a server into making requests on their behalf.
SSRF can be used to reach internal services that aren't exposed to the internet, exfiltrate cloud metadata credentials, or pivot deeper into a network.
Cross-Site Scripting
Injecting attacker-controlled JavaScript into a trusted website.
When a victim loads the page, the malicious script runs in their browser with the site's privileges — letting the attacker steal session cookies, deface content, or perform actions as the user.
Spotted something off, or have an idea? Let us know.