basic5 min readUnderstanding CVEs: How Vulnerability Databases Protect Your SoftwareEvery week, over 200 new vulnerabilities hit the National Vulnerability Database. Understanding CVEs, CVSS, EPSS, and how vulnerability databases work is the key to protecting your containers without drowning in alert fatigue. This beginner's guide explains everything you need to know.ShieldOps AI2026-07-16 ·0Every week, more than 200 new vulnerabilities are published to theNational Vulnerability Database— and that number keeps rising. In 2025 alone, over 40,000 CVEs were disclosed, a 30% increase from the previous year. If your team is still treating every CVE with the same urgency — or worse, ignoring the flood entirely — you are either wasting engineering time on noise or leaving your containerized applications exposed to critical threats. Understanding how CVEs actually work, how vulnerability databases prioritize them, and how to separate real danger from false alarms is the single most important skill a developer or DevOps engineer can learn in 2026.The Common Vulnerabilities and Exposures (CVE) system is the global standard for identifying and cataloging security vulnerabilities, but knowing the CVE ID alone tells you almost nothing. This guide will explain what CVEs really are, how vulnerability databases like NVD and OSV classify and score them, and — most importantly — how you can use this knowledge to protect your Docker containers, Kubernetes clusters, and CI/CD pipelines without burning out your team on alert fatigue. For a broader overview, read ourbeginner's guide to container security.What Is a CVE?CVE stands forCommon Vulnerabilities and Exposures. It is a dictionary-style system that assigns a unique identifier to every publicly known cybersecurity vulnerability. Each CVE entry has a standardized ID format —CVE-2026-12345 — consisting of the CVE prefix, the year of disclosure, and a sequential number. The authoritative source is the National Vulnerability Database (NVD)maintained by NIST.The CVE system is maintained by the MITRE Corporation, a non-profit organization that operates the CVE Program in partnership with over 200 CVE Numbering Authorities (CNAs) worldwide. CNAs include major technology companies like Docker Inc., Google, Microsoft, Red Hat, Canonical, and independent security research firms. When a security researcher or vendor discovers a vulnerability, they request a CVE ID from their regional CNA, which assigns the identifier and publishes a brief description.What a CVE IDdoes notinclude: severity score, exploitability information, affected software versions list, or remediation guidance. A CVE entry is just a reference number and a short description — nothing more. All the actionable information lives in vulnerability databases that build on top of the CVE foundation. Learn how to separate real threats from noise in our guide oncontainer vulnerability triage.How CVEs Are Created: From Discovery to PublicationThe lifecycle of a CVE follows a well-defined path that every developer should understand:Discovery— A security researcher, automated scanner, or internal team finds a vulnerability in software. This could be a buffer overflow in a Docker container image, an authentication bypass in a Kubernetes admission controller, or a dependency vulnerability in a Node.js library.Vendor Notification— The discoverer privately notifies the affected vendor. Under responsible disclosure practices, the vendor gets 90 days to produce a fix before the vulnerability is made public.CVE Assignment— The vendor (as a CNA) or the discoverer requests a CVE ID from MITRE or their regional CNA. The ID is reserved even if the full details are not yet public.Publication— When the fix is released (or the 90-day window expires), the CVE entry is published along with advisory details. At this point, it becomes part of the public CVE List and appears in databases like NVD.Analysis and Scoring— NVD analysts review the CVE, determine affected software versions, assign a CVSS (Common Vulnerability Scoring System) score, and add references. This step can take 1–30 days after publication.This timeline is crucial for understanding why a newly published CVE may initially show a NVD score ofN/A — the analysis phase has not completed yet. Relying on an unscored CVE for prioritization decisions can lead to either overreacting or ignoring a genuinely dangerous vulnerability. CVE vs CVSS vs NVD: Understanding the EcosystemNewcomers to vulnerability management often confuse the CVE system with the databases and scoring systems built on top of it. Here is how they differ:# Quick reference: scanning a container image with Trivy trivy image python:3.12-slim # Example output (truncated): # Total: 47 CVEs (CRITICAL: 2, HIGH: 8, MEDIUM: 21, LOW: 16) # ┌──────────────┬──────────────┬──────────┬──────┬──────────┐ # │ Library │ Vulnerability │ Severity │ EPSS │ Fixed │ # ├──────────────┼──────────────┼──────────┼──────┼──────────┤ # │ openssl-3.0.12│ CVE-2026-1234│ CRITICAL │ 0.98 │ 3.0.13+ │ # │ libcurl-7.88 │ CVE-2026-5678│ HIGH │ 0.12 │ 7.89+ │ # └──────────────┴──────────────┴──────────┴──────┴──────────┘ ComponentRoleWho Maintains ItCVEUnique identifier and short descriptionMITRE CorporationCVSSScoring system (0–10) measuring severityFIRST.orgNVDU.S. government vulnerability database with CVSS scores and CPE namesNISTEPSSExploit prediction score (probability of exploitation)FIRST.orgOSVOpen-source vulnerability database with package-level matchingGoogle (OpenSSF)Think of it this way:CVE is the library catalog cardtelling you a book exists.NVD is the librarythat holds the book with all its details.CVSS is the rating systemtelling you how dangerous the book is.EPSS is the librarian's warningthat someone is actively trying to weaponize the information in that book right now. For a deeper look at the vulnerability lifecycle, see our comprehensive guide to thevulnerability management lifecycle.How Vulnerability Databases Protect Your SoftwareVulnerability databases do far more than just list CVE IDs. They provide the infrastructure that powers every container scanner, dependency checker, and security analysis tool your team uses. Here is how they help protect your software supply chain:Package-to-CVE MappingThe NVD maintains a Common Platform Enumeration (CPE) dictionary that maps software packages, versions, and platforms to CVE IDs. When you runtrivy image on a Docker image, the scanner checks each installed package against the CPE database to find matching CVEs. For example, a Docker image containing openssl-3.0.12 would be matched against a CPE entry like cpe:2.3:a:openssl:openssl:3.0.12 and flagged if any CVEs (such as CVE-2026-1234) affect that version. Severity Scoring (CVSS)The CVSS system evaluates vulnerabilities on three dimensions:Base Score(intrinsic characteristics),Temporal Score(current exploit status and patch availability), andEnvironmental Score(your specific deployment context). As documented in theCVSS specification by FIRST.org, a CVE with a Base CVSS of 9.8 (Critical) but a Temporal Score of 2.0 (no known exploit, patch available) may be less urgent than a CVE with a Base Score of 7.5 (High) but an EPSS probability of 0.95 and an active exploit in the wild. This is why relying solely on CVSS base scores for prioritization is a dangerous simplification. Ourcompliance platformautomates this contextual analysis for you.Automated Scanning IntegrationModern vulnerability databases expose APIs that allow CI/CD pipeline tools to check for new CVEs automatically. TheNVD API 2.0, for instance, lets you query for CVEs by CPE, date range, or CVSS score. Your build pipeline can use this to fail a deployment when a Critical CVE affecting a container image is discovered — but this only works if you configure it correctly. Many teams default to "fail on any Critical CVE" which quickly leads to pipeline paralysis and developer frustration. TheShieldOps AI assistanthelps you configure these thresholds intelligently.# Example: Querying NVD API for CVEs affecting OpenSSL 3.0.x curl -X GET "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:openssl:openssl:3.0.12" | jq '.vulnerabilities[].cve.id' # Output (example): # "CVE-2026-1234" # "CVE-2026-5678" 5 Key Things Every Developer Should Know About CVEsAfter years of working with vulnerability data, security teams have identified five critical insights that separate effective vulnerability management from noise-driven panic:1. Not All CVEs Are Equal — CVSS Is Just One FactorA CVE with a CVSS score of 9.8 sounds terrifying, but if the vulnerability requires local access to exploit, runs only on a specific configuration that you do not use, and has a patch available, your actual risk is near zero. The CVSS base score measuresintrinsicseverity, notcontextualrisk. Always evaluate CVEs in the context of your specific deployment environment.2. CVE Does Not Mean Active ExploitOnly about 2–5% of published CVEs are ever exploited in the wild. The vast majority are discovered by academic researchers, internal audits, or automated fuzzing tools and are patched before any real-world attack occurs. A scanner report showing 200 CVEs in a container image does not mean 200 exploitable attack vectors — it means 200 known issues that need triage. Our article onSBOM-driven risk managementexplains how to operationalize this data.3. EPSS Tells You What Is Actually DangerousThe Exploit Prediction Scoring System (EPSS) uses machine learning to predict the probability that a CVE will be exploited in the next 30 days. EPSS scores range from 0 (near-zero chance) to 1 (almost certain). According to FIRST.org data, CVEs with EPSS scores above 0.9 account for less than 0.1% of all published vulnerabilities but represent over 90% of real-world exploitation events. If you are not using EPSS for triage, you are spending 90% of your triage effort on noise.# Check EPSS score for a specific CVE via FIRST.org API curl -s "https://api.first.org/data/v1/epss?cve=CVE-2026-1234" | jq '.data[0]' # Response: # { # "cve": "CVE-2026-1234", # "epss": "0.97654", # "percentile": "0.99984" # } 4. CVE Age Matters More Than You ThinkA CVE that was published 90 days ago still appears in your Friday afternoon scan results. But after 90 days without exploitation, the probability of future exploitation drops significantly. Conversely, a CVE published two hours ago with a proof-of-concept exploit on GitHub should trigger an immediate response. Vulnerability age is a powerful but often ignored prioritization signal.5. False Positives Are Real — Container Scanners OverreportContainer vulnerability scanners work by matching package versions against the CPE database, but this approach generates false positives. A scanner may flag a CVE affectingopenssl-3.0.12 even if the vulnerable function is never called in your application code path. This is known as reachability analysis— and most scanners do not perform it. Understanding that your scanner's CVE count is an upper bound, not a ground truth, changes how you prioritize fixes. For best practices on building secure container images, seeDocker's official build best practices.# Dockerfile example: vulnerable vs hardened base image # ❌ VULNERABLE — pins to a specific version known to have CVEs FROM python:3.9-slim RUN pip install requests==2.28.0 # contains CVE-2024-1135 # ✅ HARDENED — uses latest patch and scans before deploy FROM python:3.12-slim RUN pip install requests==2.32.3 # patched RUN trivy image --severity CRITICAL,HIGH python:3.12-slim Real-World Impact: When CVE Ignorance Costs MillionsTheLog4Shell vulnerability (CVE-2021-44228)is the most famous CVE of the past decade for good reason. With a CVSS score of 10.0 (Critical) and an EPSS score of 0.97 (near-certain exploitation), it combined maximum severity with immediate, widespread weaponization. The vulnerability allowed unauthenticated remote code execution on any server running Apache Log4j versions 2.0 through 2.14.1.The impact was staggering:Over100 millionattempted exploitation events detected in the first weekEstimated$50+ billionin global remediation costsCloudflare blocked50 billion+Log4Shell attack attemptsMillions of container images pulled from registries contained vulnerable Log4j versionsThe lesson for container teams: CVE-2021-44228 was disclosed on December 9, 2021, and organizations that had automated CVE monitoring with EPSS-based triage were able to identify and patch their at-risk containers within hours. Organizations relying on manual CVE review took weeks — during which their containers were actively being targeted. OurDocker security best practices guidecovers how to prevent similar scenarios.Compliance and Standards: CIS Benchmarks and CVE ManagementThe CIS Docker Benchmark, CIS Kubernetes Benchmark, and standards like PCI DSS v4.0 all require organizations to maintain an inventory of known vulnerabilities and remediate them within defined timeframes. PCI DSS Requirement 6.3, for example, mandates that critical vulnerabilities be patched within 30 days and high-severity vulnerabilities within 60 days. Understanding CVE scoring is essential for meeting these compliance obligations without over-spending on remediation resources.TheCIS Controlsprovide specific guidance on vulnerability management (Control 7: Continuous Vulnerability Management), including requirements for authenticated scanning, prioritization based on exploitability (EPSS), and remediation SLAs tied to CVSS scores. See ourcompliance as code guidefor automated CIS and PCI-DSS enforcement.How ShieldOps Helps You Tame the CVE FloodShieldOps was built specifically to solve the CVE overload problem that every container team faces. Our platform integrates with the NVD API, OSV database, and your CI/CD pipeline to provide:Context-aware CVE triagethat combines CVSS, EPSS, and reachability analysis to tell you which CVEs actually matter in your environmentAutomated Dockerfile and container image scanningthat maps every package to its CPE entry and highlights only exploitable vulnerabilitiesCompliance reportingmapped to CIS Docker Benchmark and PCI DSS requirementsReal-time alertswhen a new CVE with high EPSS score affects any package running in your clusterSee how ShieldOps transforms vulnerability data into actionable security decisions —start your free analysis today. Compare ourpricing plansto find the right tier for your team.Frequently Asked QuestionsWhat is the difference between a CVE and a CWE?CVE identifies specific instances of vulnerabilities (e.g., CVE-2026-1234 in OpenSSL 3.0.12), while CWE (Common Weakness Enumeration) categorizes thetypeof weakness (e.g., CWE-787: Out-of-bounds Write). A single CWE can map to thousands of CVEs. Think of CWE as the disease category and CVE as individual cases.How long does it take for a CVE to get a CVSS score?NVD analysts typically assign CVSS scores within 1–30 days of a CVE's publication. During this gap, the CVE shows a CVSS ofN/A. You can use third-party sources like the VulnCheck or NVD's own severity estimates during this period, but they are less reliable than the official CVSS vector. Should I patch every CVE my scanner reports?No. Patching every CVE is neither practical nor necessary. Prioritize based on a combination of CVSS score, EPSS probability, reachability in your application code, and whether the affected component is exposed to untrusted network traffic. A risk-based approach typically reduces the "must patch" list by 70–80% compared to a blanket policy. Read more in ourvulnerability triage guide.What is a CNA and why does it matter?A CVE Numbering Authority (CNA) is an organization authorized by MITRE to assign CVE IDs within a specific scope. Docker Inc. is a CNA for Docker-related products, Red Hat covers Linux distributions, and Google covers Android and Chrome. Knowing which CNA covers your software stack helps you track vulnerability disclosures efficiently and understand which vendor advisories to trust.How can I automate CVE monitoring for my containers?Use the NVD API 2.0 to poll for new CVEs matching your software stack, combined with EPSS API scores for prioritization. Integrate this data into your CI/CD pipeline with tools like Trivy, Grype, or ShieldOps, and configure automated alerts for CVEs exceeding your risk threshold (e.g., CVSS ≥ 7.0 AND EPSS ≥ 0.2 AND exploitable in your environment). TheShieldOps AI assistantcan guide you through the setup process.What is the difference between NVD and OSV?The NVD is the U.S. government's comprehensive database covering all known CVEs with CVSS scoring and CPE mappings. OSV (Open Source Vulnerabilities) is a Google-led, OpenSSF-hosted database focused specifically on open-source packages, using the precise package URL (PURL) format for matching. OSV tends to have faster updates for open-source vulnerabilities but covers fewer proprietary or embedded software CVEs.ConclusionUnderstanding CVEs is not about memorizing identifiers — it is about learning how the vulnerability ecosystem works so you can make smarter prioritization decisions. The CVE system provides the foundation, but NVD, CVSS, EPSS, and OSV are the layers that turn raw vulnerability data into actionable security intelligence.For container teams managing Docker images and Kubernetes clusters, the key takeaway is this:stop treating every CVE as an emergency. Start treating every CVE as data to be analyzed.Use CVSS for severity, EPSS for exploit likelihood, reachability analysis for actual risk, and a tool like ShieldOps to bring all these signals together in one place.Your containers deserve better than a spreadsheet of CVE IDs.Get started with ShieldOps for freeand see how context-aware vulnerability triage changes your team's security posture.#CVE#vulnerability-database#CVSS#EPSS#container-securityReady to apply these concepts?Analyze your Dockerfile and find security vulnerabilities in seconds.Analyze Your Dockerfile NowRelated PostsWhat Is Container Security? A Beginner's Guide to Docker Safety2026-07-15Your takeRate this article or leave a commentShare Submit commentHave more questions? Check ourFAQ