CPE (Common Platform Enumeration)
CPE is the structured identifier scheme for affected products in NVD — vendor:product:version triples used to match scanners against CVE applicability.
Definition
Common Platform Enumeration (CPE) is the structured naming scheme NVD uses to identify the software and hardware products affected by a CVE. A CPE 2.3 identifier is a 13-field colon-delimited string: `cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*` for Apache Log4j 2.14.1. The fields cover part (application, OS, hardware), vendor, product, version, update, edition, language, software edition, target software, target hardware, and other.
CPE drives the "is my system affected?" matching step in vulnerability scanners. A scanner inventories installed software, computes CPE strings for each, and queries NVD's API for CVEs whose `cpeMatch` array overlaps. The mapping is imperfect — NVD's analysts curate CPE assignments and the corpus is famously incomplete for non-mainstream software — but it remains the de facto standard.
Mitigation
Not applicable.