Notice what CVE actually does, though. It doesn’t tell anyone to patch a flaw. The flaw was a 90-minute window in which a publishing pipeline was compromised, and the window has closed. The CVE is a retroactive notification. Meaning, if you ran npm install during that window, treat your developer credentials as exposed. That’s incident response, not vulnerability tracking.
This is the system functioning by 2026 standards. That’s a long way from what CVE was built to do.
The drift
CVE launched in 1999 as a vulnerability identifier. The original definition was tight: a flaw in a system that violates a security policy, with a fix that defenders can apply against a known version range. Heartbleed in OpenSSL 1.0.1f. The deserialization flaws in Apache Struts. Patch the version, scan to verify, dashboard turns green.
MITRE and CNAs began stretching the framework almost immediately. The SolarWinds incident of 2020 got CVE-2020-10148, but the “vulnerability” was a backdoor inserted into a signed update, not a code flaw the maintainer wrote. node-ipc/peacenotwar in 2022 got CVE-2022-23812 for protestware that wiped files based on geolocation. The fix in both cases was “remove the bad version,” not a patch to a defective component. The identifier still worked, but it was no longer doing the job it was designed for.
