NVTs vs CVEs


What is the difference between NVTs and CVEs ? Which are the best to use ?



looks like you got some things mixed up. NVTs and CVEs are quite different.

A CVE is a reference number for a specific vulnerability. Any (legit) vulnerability can be reported and might get a CVE assigned to it, in order to have a standardized reference to it.
The official site summarizes it even better:

CVE® is a list of entries—each containing an identification number, a
description, and at least one public reference—for publicly known cybersecurity vulnerabilities.

An NVT (network vulnerability test) is a script that is being executed towards a targeted system and does vulnerability checks (remotely or locally), which also includes vulnerabilities that have got a CVE assigned to it.
However, there are also NVTs without a referenced CVE.

Now, what do you mean by “which are best to use”? For what?




Thanks for your reply.

When you create a task, you can choose betwwen Openvas Default and CVE.

But now I understand better, thank you.

Please read here:

It´s already explained in a other posting.

1 Like


So the CVEs are included in NVTs, but in my GSA, I have more CVEs than NVTs. How is that possible?

Thank you.

First please read the results, the CVE scanner is using your discovered assets and scans on the CPEs within the database.
Second one VT can detect many CVEs so there is no 1:1 match VT:CVE.