What is CVSS?
CVSS (Common Vulnerability Scoring System) is a standardised framework for rating the severity of security vulnerabilities on a scale from 0.0 to 10.0. Maintained by FIRST (Forum of Incident Response and Security Teams), CVSS provides a consistent method for assessing and communicating vulnerability severity across organisations and tools.
CVSS severity levels
| Score | Severity |
|---|---|
| 9.0 - 10.0 | Critical |
| 7.0 - 8.9 | High |
| 4.0 - 6.9 | Medium |
| 0.1 - 3.9 | Low |
| 0.0 | None |
Key metrics
CVSS base scores are calculated from metrics including attack vector (network, adjacent, local, physical), attack complexity (low, high), privileges required (none, low, high), user interaction (none, required), and impact on confidentiality, integrity, and availability.
Limitations
CVSS scores measure theoretical severity but not real-world risk. A Critical CVE (9.8) on an isolated test server may pose less actual risk than a High CVE (7.5) on a production-facing API. Effective prioritisation combines CVSS with exploit availability, asset exposure, and business context. CISA’s Known Exploited Vulnerabilities catalogue and EPSS (Exploit Prediction Scoring System) provide complementary prioritisation data.