What Is CVSS?
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
CVSS, or the Common Vulnerability Scoring System, is a standardized way to rate the severity of software vulnerabilities. Security teams use CVSS scores to compare issues on a common scale, usually from 0.0 to 10.0, based on exploitability and impact.
CVSS is useful for triage and reporting, but it does not automatically tell you how risky a vulnerability is in your specific environment. It measures severity, not full business risk.
CVSS definition
The purpose of CVSS is to give vendors, defenders, and asset owners a shared language for describing how serious a vulnerability is.
A CVSS score is usually presented as:
- a numeric value, such as
7.5or9.8 - a severity label, such as Low, Medium, High, or Critical
That consistency helps when you are reviewing scanner results, vendor advisories, and remediation priorities across many systems.
How CVSS works
CVSS assigns a score by evaluating a vulnerability against defined metrics. At a practical level, it tries to answer two questions:
- How easy is this vulnerability to exploit?
- What is the potential impact if exploitation succeeds?
The three main CVSS metric groups
CVSS is commonly divided into three metric groups:
- Base metrics
- Temporal metrics
- Environmental metrics
In everyday security operations, the base score is the one you will see most often.
Base metrics
Base metrics describe the inherent characteristics of the vulnerability itself. These are intended to remain relatively stable over time and across environments.
Factors in the base score include:
- Attack vector: Can it be exploited over the network, locally, or only with physical access?
- Attack complexity: Is exploitation straightforward or does it require unusual conditions?
- Privileges required: Does the attacker need an account or elevated access first?
- User interaction: Must a user click, open, or approve something?
- Scope: Does exploitation affect only the vulnerable component, or can it impact other security boundaries?
- Impact: What is the potential damage to confidentiality, integrity, and availability?
A remotely exploitable flaw with low complexity and high impact will generally receive a higher score than one that requires local access and special conditions.
Temporal metrics
Temporal metrics reflect things that can change over time, such as:
- whether public exploit code exists
- whether a fix or workaround is available
- confidence in the published technical details
These metrics can refine a score, but many teams do not use them consistently in day-to-day reporting.
Environmental metrics
Environmental metrics adjust the score for your environment.
For example:
- Is the vulnerable asset internet-facing?
- Is it a critical production system?
- Does it handle sensitive data?
- Are compensating controls in place?
- Would exploitation have severe operational impact?
This is where CVSS becomes more useful operationally. The same vulnerability can matter very differently depending on where it exists and what it can reach.
CVSS severity ratings
CVSS scores are commonly grouped into severity bands:
- None:
0.0 - Low:
0.1–3.9 - Medium:
4.0–6.9 - High:
7.0–8.9 - Critical:
9.0–10.0
These ratings are useful for sorting and dashboards, but they are still only a starting point. A Critical score on an isolated test system may matter less than a High score on an exposed production asset under active attack.
For more on how severity and exploitability fit into security decisions, see what is threat intelligence.
What CVSS does well
CVSS is valuable because it gives teams:
- a standard method for rating severity
- a common language across vendors and tools
- a repeatable way to compare vulnerabilities
- a baseline for vulnerability management workflows
Without a framework like CVSS, every scanner and software vendor might describe the same issue differently.
What CVSS does not tell you
CVSS does not automatically account for:
- whether the asset is exposed to attackers
- whether the flaw is actively exploited in the wild
- whether exploit chains make it more dangerous
- how important the affected system is to your business
- whether compensating controls reduce exposure
- whether patching it creates operational risk
This is why mature security programs treat CVSS as a severity signal, not as the only patching priority.
When you’ll encounter CVSS
You will see CVSS in most vulnerability management workflows.
Vulnerability scanner results
Most scanners use CVSS to label findings as Low, Medium, High, or Critical. For many teams, it is the first severity indicator they see after a scan finishes.
Vendor advisories
Software vendors commonly publish CVSS scores alongside vulnerability disclosures so customers can quickly assess technical severity.
Patch prioritization
IT and security teams often use CVSS during patch planning. In better programs, they also consider exploit activity, asset criticality, internet exposure, and available mitigations.
Compliance and reporting
CVSS frequently appears in dashboards, remediation SLAs, audit evidence, and executive reporting because it is consistent and easy to communicate.
Risk reviews
Security teams revisit CVSS during active threat periods. If a vulnerability has a high CVSS score and is being exploited in the wild, urgency rises sharply. If it has a high score but affects only isolated internal systems, the response may differ.
CVSS vs. risk
This is the distinction that causes the most confusion:
- CVSS measures severity
- Risk includes severity plus context
A high CVSS vulnerability is not automatically your top priority. Real prioritization depends on questions like:
- Is the asset exposed?
- Is the flaw being exploited right now?
- Does the system hold sensitive data?
- Can an attacker chain this issue with others?
- Do current controls reduce the likelihood of abuse?
If you want a broader view of how organizations prioritize weaknesses, read what is a penetration test.
Final takeaway
CVSS is a standard framework for scoring vulnerability severity. It is useful for triage, reporting, and consistency across tools and vendors, but it is not a complete measure of business risk.
The best way to use CVSS is as one input among others, including exploit activity, asset importance, exposure, and operational context.