Skip to main content

Common Vulnerability Scoring System (CVSS)

CVSS rates vulnerability severity from 0 to 10 using standardized metrics, helping teams prioritize which flaws to fix first.

The Common Vulnerability Scoring System (CVSS) is an open framework for rating how severe a security vulnerability is. It produces a score from 0.0 to 10.0, where higher means more severe, along with a vector string that records how the score was derived.

How It Works

CVSS organizes metrics into groups. The Base metrics capture intrinsic characteristics that do not change over time, such as the attack vector (network, local, physical), attack complexity, privileges required, user interaction, and the impact on confidentiality, integrity, and availability. Temporal metrics adjust for factors like exploit maturity and patch availability. Environmental metrics let an organization tailor the score to its own context and asset importance.

The base score maps to qualitative ratings: 0.0 none, 0.1-3.9 low, 4.0-6.9 medium, 7.0-8.9 high, and 9.0-10.0 critical. CVSS v3.1 is widely used, and CVSS v4.0 refines the metrics for greater accuracy. Each CVE in the National Vulnerability Database typically carries a CVSS base score.

Why It Matters

Organizations face far more vulnerabilities than they can fix at once, so they must prioritize. CVSS provides a consistent, vendor-neutral way to compare severity and focus on the most dangerous issues first.

However, CVSS measures technical severity, not actual risk. A critical-scored flaw in an unreachable internal tool may matter less than a medium-scored flaw on an internet-facing system. Mature programs combine CVSS with context such as exploitability data (for example, CISA's Known Exploited Vulnerabilities catalog or EPSS) and asset value.

Related Terms

CVSS scores the vulnerabilities cataloged as CVEs, informs prioritization in SBOM-driven and supply-chain-security workflows, and supports threat modeling.