CVSS metric groups: Base, Temporal, and Environmental
Last reviewed June 2, 2026
CVSS organizes its inputs into three metric groups. Base metrics capture a vulnerability's intrinsic, unchanging characteristics and produce the headline score. Temporal metrics (renamed Threat in v4.0) adjust for factors that change over time, like exploit maturity. Environmental metrics tailor the score to your specific deployment.
Base metrics: the intrinsic score
Base metrics describe qualities of the vulnerability that do not change over time or across environments. They are the only required group and produce the Base score most people cite. The Base group covers exploitability factors (Attack Vector, Attack Complexity, Privileges Required, User Interaction) and impact factors (Confidentiality, Integrity, Availability), plus Scope in v3.x.
- Exploitability: how reachable and how hard the flaw is to attack.
- Impact: the damage to confidentiality, integrity, and availability.
- Scope (v3.x): whether the impact crosses a security boundary.
Temporal and Threat metrics: change over time
Temporal metrics reflect characteristics that evolve after disclosure but are the same for everyone. In v3.x these are Exploit Code Maturity, Remediation Level, and Report Confidence. CVSS v4.0 simplified this group, renamed it Threat, and reduced it to a single Exploit Maturity metric.
Applying Temporal or Threat metrics can only lower or hold the Base score, reflecting that a freshly disclosed flaw with no known exploit is less pressing than one with weaponized exploit code.
Environmental metrics: your deployment
Environmental metrics let an organization re-score a vulnerability for its own context. You can raise or lower the importance of confidentiality, integrity, and availability based on the asset (the Security Requirements metrics), and you can override Base metric values to reflect compensating controls in your environment.
Two organizations can therefore arrive at different final scores for the same flaw, which is intended: a database holding regulated data may weight confidentiality far higher than a public marketing site.
How the groups combine
Most published scores, including those in the National Vulnerability Database, are Base-only because vendors cannot know your environment. The full value of CVSS comes when you layer Temporal/Threat and Environmental metrics on top to reach a score that reflects your real exposure.
| Group | Answers | Changes with |
|---|---|---|
| Base | How severe is the flaw intrinsically? | Never (fixed) |
| Temporal / Threat | Is it being exploited yet? | Time |
| Environmental | How much does it matter to us? | Your deployment |
Keep exploring
Frequently asked questions
- Which CVSS metric group is required?
- Only the Base group is required. Temporal (Threat in v4.0) and Environmental metrics are optional refinements layered on top of the Base score.
- What replaced Temporal metrics in CVSS 4.0?
- CVSS v4.0 renamed the Temporal group to Threat and reduced it to a single Exploit Maturity metric, dropping Remediation Level and Report Confidence.
- Why do most published CVSS scores only show Base metrics?
- Vendors and databases like the NVD cannot know your environment or the current threat landscape for your assets, so they publish the Base score and leave Temporal and Environmental scoring to you.
- Can Environmental metrics raise a score above the Base?
- Yes. Environmental Security Requirements can increase the weight of an impact type, so a flaw can score higher for an organization where that asset is especially sensitive.
