Glossary

CVE (Common Vulnerabilities and Exposures)

A unique identifier assigned to each publicly known security vulnerability (e.g., CVE-2024-XXXXX). CVEs allow security teams to reference and track flaws unambiguously. The CVE database is maintained by MITRE.

What a CVE is for, concretely

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly disclosed vulnerability — for example CVE-2021-44228 for Log4Shell. The system, operated by MITRE, lets the whole ecosystem (vendors, scanners, security teams) refer to the same flaw without ambiguity. Each CVE is then enriched with a CVSS severity score and, on NVD's side, the list of affected versions. For a SaaS vendor, the relevant CVEs are the ones touching your stack: framework, dependencies, database, Docker images.

Why CVEs matter for an HR SaaS vendor

Your clients and their CISOs track critical CVEs: after every headline vulnerability, expect the question 'are you affected?'. An unpatched dependency with an exploitable critical CVE is also the first thing an external scanner or opportunistic attacker will find — mass exploitation often starts within hours of publication. CVE monitoring on your stack (Next.js, Laravel, Supabase, npm/composer packages) and a fast patching process are part of the 'state of the art' measures expected under GDPR Article 32.

What CleanIssue checks

During an audit we identify externally visible components (framework versions, servers, exposed libraries) and match them against known CVEs that are actually exploitable in your context — not just a raw scanner list. We also publish detailed analyses of CVEs affecting our clients' stacks, with real exploitation context and the actions to take.

Frequently asked questions

Are all CVEs dangerous?

No. A large share of CVEs are not exploitable in a given context: the vulnerable function isn't used, the component isn't exposed, or an upstream protection blocks the attack. That is the point of contextual analysis versus a raw scan: prioritizing the CVEs that pose a real risk to your product.

What is the difference between CVE, CWE and CVSS?

A CVE identifies a specific vulnerability in a specific product. A CWE categorizes the underlying weakness type (e.g. CWE-89 for SQL injection). CVSS assigns a 0-10 severity score to a CVE. The three complement each other: a CVE of type CWE-89 with a CVSS of 9.8, for instance.

How do you track CVEs for your stack?

Enable dependency alerts (Dependabot, Renovate, npm audit, composer audit), follow security advisories for your critical components, and define an internal remediation SLA by severity. For publicly exposed components, a periodic external review verifies nothing slipped through.

Related Pages

Other Terms

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit