CVE is a standardized identifier for known vulnerabilities. Each has a unique ID (CVE-YEAR-NUMBER) and CVSS score. CVSS ranges: 0-3.9 Low, 4-6.9 Medium, 7-8.9 High, 9-10 Critical.
CVSS alone is insufficient for prioritization — a Critical on an internal dev server is lower priority than a High on an internet-facing payment server. CISA KEV catalog = actively exploited = patch immediately regardless of CVSS score.