Glossary
What is CVSS — the severity score and how it's actually scored
CVSS rates a vulnerability's severity 0.0–10.0, computed from defined metrics (attack vector, privileges, CIA impact) via a public formula — not a guess. The scoring rubric, the vector string, what makes a 10.0, and v3.1 vs v4.0.
"CVSS 10.0", "a CVSS 9.8 RCE" — the numbers in every vulnerability headline. They aren't made up: they come from a defined set of metrics and a formula. Here's how to read them, from zero.
First, the score guide
| Score | Rank | Feel |
|---|---|---|
| 9.0 – 10.0 | Critical | Act now; often takeover-class |
| 7.0 – 8.9 | High | Address soon |
| 4.0 – 6.9 | Medium | Plan it in |
| 0.1 – 3.9 | Low | Keep an eye on it |
If a CVE is the name of a vulnerability, CVSS is its severity score. "A CVSS 10.0 RCE" means a top-rated remote code execution — worst class.
There really is a rubric
A CVSS score is built from three metric groups. What gets published as "CVE-XXXX is 9.8" is almost always the Base score.
Base
The vulnerability itself. The published value.
Threat
Adjusted over time by exploit availability.
Environmental
Recomputed for your own setup and priorities.
① Exploitability
② Impact
The Base score is, roughly, "① how easy to exploit" × "② how big the impact". The next two tables are those metrics.
① Exploitability (how easily it can be attacked)
| Metric | Values | Worst-case (raises score) |
|---|---|---|
| Attack Vector (AV) | Network / Adjacent / Local / Physical | Network (over the internet) is most dangerous |
| Attack Complexity (AC) | Low / High | Low (no special conditions) is dangerous |
| Privileges Required (PR) | None / Low / High | None (no login needed) is dangerous |
| User Interaction (UI) | None / Required | None (victim does nothing) is dangerous |
② Impact (what happens if it succeeds)
CIA = the three pillars of security: Confidentiality, Integrity, Availability.
| Metric | Values | "High" means |
|---|---|---|
| Scope (S) | Unchanged / Changed | Changed = the breach crosses its original privilege boundary |
| Confidentiality (C) | High / Low / None | data can be read wholesale |
| Integrity (I) | High / Low / None | data can be freely altered |
| Availability (A) | High / Low / None | the service can be fully stopped |
'Scope: Changed' is what pushes the score up
For example, damage confined inside a container (Unchanged) versus spreading from there to the host or other services (Changed). Whether it "crosses the box" moves the score a lot for otherwise-identical conditions.
The vector string: the score's "recipe" in one line
Every CVSS score comes with a vector string — a record of which metrics were chosen, i.e. the reason for the number.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H → 10.0 (Critical)Broken down, everything is set to "most dangerous":
| Segment | Meaning | This example |
|---|---|---|
AV:N | Attack Vector = Network | hit over the internet |
AC:L | Attack Complexity = Low | easy to land |
PR:N | Privileges Required = None | no auth |
UI:N | User Interaction = None | no victim action |
S:C | Scope = Changed | crosses the boundary |
C:H / I:H / A:H | CIA = all High | read, written, and stopped |
What separates a 10.0 from a 9.8
Make Scope "Unchanged" (S:U) in that example and the same conditions score 9.8. Whether it crosses the boundary (S:C) is what reaches the maximum 10.0. So 9.8 vs 10.0 = "both worst-class, but the blast radius differs by one notch".
v3.1 vs v4.0: both are in circulation now
The current version is v4.0 (2023), but most CVEs are still scored with v3.1 (2019), so the two coexist for now.
| CVSS v3.1 | CVSS v4.0 | |
|---|---|---|
| Released | 2019 | 2023 |
| Notation | score + vector | CVSS-B / BT / BE / BTE, purpose explicit |
| User Interaction | None / Required (2) | None / Passive / Active (3) |
| Scope | Scope(S), one metric | splits "vulnerable system" and "subsequent system" impact |
| Extras | none | adds supplemental metrics (automatable, recovery, safety…) |
Don't be ruled by the score alone
The rubric makes CVSS powerful. But the score is a worst-case theoretical value. In practice, multiply it by two factors.
Check whether it's being exploited (KEV)
Vulnerabilities observed under real attack (KEV — Known Exploited Vulnerabilities) are top priority regardless of score. "Being shot at now" outweighs the theoretical number.
Check whether you use the affected feature
A CVSS 10.0 has small real impact if you don't use the component; a mid-score is top priority if you hit it in production. Judge by the version actually running.
A published CVSS 10.0 dismissed as "not my problem" led to a fraud-billing incident. A score is never a reason to neglect. → The neglected CVSS 10.0
Read next
- Glossary: What is a CVE · What is RCE
- Defense: Bake CVE/CVSS into your workflow
FAQ
QDoes CVSS have a real scoring rubric, or is it a guess?
It has a defined rubric. You select metrics — attack vector (AV), attack complexity (AC), privileges required (PR), user interaction (UI), scope (S), and confidentiality/integrity/availability (CIA) — and run them through a public formula to get 0.0–10.0. It's designed to be reproducible: the same inputs give the same score.
QWho assigns the score?
The standard is maintained by FIRST. Individual CVE scores are assigned by NVD (NIST) or vendors following the rubric. The same vulnerability can be scored slightly differently by different assessors.
QFrom what score is it dangerous?
As a guide: 9.0–10.0 Critical, 7.0–8.9 High, 4.0–6.9 Medium, 0.1–3.9 Low. But the score is a worst-case theoretical value — also check whether it actually applies to your setup.
QShould a high CVSS always be fixed first?
Usually yes, but more important is whether it's actively exploited (KEV) and whether you use the affected feature. A 10.0 you don't use may be zero impact; a mid-score under active exploitation is top priority.