eastbaycyber

What Is CVSS?

Glossary 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

CVSS, or the Common Vulnerability Scoring System, is a standardized way to rate the severity of software vulnerabilities. Security teams use CVSS scores to compare issues on a common scale, usually from 0.0 to 10.0, based on exploitability and impact.

CVSS is useful for triage and reporting, but it does not automatically tell you how risky a vulnerability is in your specific environment. It measures severity, not full business risk.

CVSS definition

The purpose of CVSS is to give vendors, defenders, and asset owners a shared language for describing how serious a vulnerability is.

A CVSS score is usually presented as:

  • a numeric value, such as 7.5 or 9.8
  • a severity label, such as Low, Medium, High, or Critical

That consistency helps when you are reviewing scanner results, vendor advisories, and remediation priorities across many systems.

How CVSS works

CVSS assigns a score by evaluating a vulnerability against defined metrics. At a practical level, it tries to answer two questions:

  • How easy is this vulnerability to exploit?
  • What is the potential impact if exploitation succeeds?

The three main CVSS metric groups

CVSS is commonly divided into three metric groups:

  • Base metrics
  • Temporal metrics
  • Environmental metrics

In everyday security operations, the base score is the one you will see most often.

Base metrics

Base metrics describe the inherent characteristics of the vulnerability itself. These are intended to remain relatively stable over time and across environments.

Factors in the base score include:

  • Attack vector: Can it be exploited over the network, locally, or only with physical access?
  • Attack complexity: Is exploitation straightforward or does it require unusual conditions?
  • Privileges required: Does the attacker need an account or elevated access first?
  • User interaction: Must a user click, open, or approve something?
  • Scope: Does exploitation affect only the vulnerable component, or can it impact other security boundaries?
  • Impact: What is the potential damage to confidentiality, integrity, and availability?

A remotely exploitable flaw with low complexity and high impact will generally receive a higher score than one that requires local access and special conditions.

Temporal metrics

Temporal metrics reflect things that can change over time, such as:

  • whether public exploit code exists
  • whether a fix or workaround is available
  • confidence in the published technical details

These metrics can refine a score, but many teams do not use them consistently in day-to-day reporting.

Environmental metrics

Environmental metrics adjust the score for your environment.

For example:

  • Is the vulnerable asset internet-facing?
  • Is it a critical production system?
  • Does it handle sensitive data?
  • Are compensating controls in place?
  • Would exploitation have severe operational impact?

This is where CVSS becomes more useful operationally. The same vulnerability can matter very differently depending on where it exists and what it can reach.

CVSS severity ratings

CVSS scores are commonly grouped into severity bands:

  • None: 0.0
  • Low: 0.1–3.9
  • Medium: 4.0–6.9
  • High: 7.0–8.9
  • Critical: 9.0–10.0

These ratings are useful for sorting and dashboards, but they are still only a starting point. A Critical score on an isolated test system may matter less than a High score on an exposed production asset under active attack.

For more on how severity and exploitability fit into security decisions, see what is threat intelligence.

What CVSS does well

CVSS is valuable because it gives teams:

  • a standard method for rating severity
  • a common language across vendors and tools
  • a repeatable way to compare vulnerabilities
  • a baseline for vulnerability management workflows

Without a framework like CVSS, every scanner and software vendor might describe the same issue differently.

What CVSS does not tell you

CVSS does not automatically account for:

  • whether the asset is exposed to attackers
  • whether the flaw is actively exploited in the wild
  • whether exploit chains make it more dangerous
  • how important the affected system is to your business
  • whether compensating controls reduce exposure
  • whether patching it creates operational risk

This is why mature security programs treat CVSS as a severity signal, not as the only patching priority.

When you’ll encounter CVSS

You will see CVSS in most vulnerability management workflows.

Vulnerability scanner results

Most scanners use CVSS to label findings as Low, Medium, High, or Critical. For many teams, it is the first severity indicator they see after a scan finishes.

Vendor advisories

Software vendors commonly publish CVSS scores alongside vulnerability disclosures so customers can quickly assess technical severity.

Patch prioritization

IT and security teams often use CVSS during patch planning. In better programs, they also consider exploit activity, asset criticality, internet exposure, and available mitigations.

Compliance and reporting

CVSS frequently appears in dashboards, remediation SLAs, audit evidence, and executive reporting because it is consistent and easy to communicate.

Risk reviews

Security teams revisit CVSS during active threat periods. If a vulnerability has a high CVSS score and is being exploited in the wild, urgency rises sharply. If it has a high score but affects only isolated internal systems, the response may differ.

CVSS vs. risk

This is the distinction that causes the most confusion:

  • CVSS measures severity
  • Risk includes severity plus context

A high CVSS vulnerability is not automatically your top priority. Real prioritization depends on questions like:

  • Is the asset exposed?
  • Is the flaw being exploited right now?
  • Does the system hold sensitive data?
  • Can an attacker chain this issue with others?
  • Do current controls reduce the likelihood of abuse?

If you want a broader view of how organizations prioritize weaknesses, read what is a penetration test.

Final takeaway

CVSS is a standard framework for scoring vulnerability severity. It is useful for triage, reporting, and consistency across tools and vendors, but it is not a complete measure of business risk.

The best way to use CVSS is as one input among others, including exploit activity, asset importance, exposure, and operational context.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.