CVSS severity levels: None, Low, Medium, High, and Critical
Last reviewed June 2, 2026
In CVSS v3.x and v4.0, numeric scores map to five qualitative severity ratings: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). These bands let teams sort vulnerabilities into consistent priority buckets without comparing raw decimals.
The CVSS v3.x and v4.0 severity ranges
Both CVSS v3.0, v3.1, and v4.0 use the same five-band qualitative scale. The bands are inclusive, so a 6.9 is still Medium and a 7.0 is High.
| Rating | Score range |
|---|---|
| None | 0.0 |
| Low | 0.1 - 3.9 |
| Medium | 4.0 - 6.9 |
| High | 7.0 - 8.9 |
| Critical | 9.0 - 10.0 |
CVSS v2.0 used a different scale
The older CVSS v2.0 standard had only three severity ratings and no None or Critical band. Many tools still display v2.0 scores for older vulnerabilities, so it helps to know the difference.
| Rating | Score range |
|---|---|
| Low | 0.0 - 3.9 |
| Medium | 4.0 - 6.9 |
| High | 7.0 - 10.0 |
How to use the levels
Severity bands are a triage shortcut, not a patching schedule. Many programs commit to remediating Critical and High vulnerabilities within tight windows, but the band alone does not tell you whether a flaw is actually being exploited.
- Critical (9.0-10.0): treat as urgent, especially if internet-facing.
- High (7.0-8.9): schedule prompt remediation.
- Medium (4.0-6.9): patch in normal cycles, weigh exposure.
- Low (0.1-3.9): low priority unless it chains with other flaws.
- None (0.0): informational; no direct impact measured.
Why a Critical score still needs context
A Critical CVSS score signals severe potential impact, but it says nothing about whether attackers are using the flaw today. Pairing the severity band with EPSS probability and the CISA KEV catalog prevents teams from spending all their effort on Critical flaws that nobody is exploiting while ignoring a Medium flaw under active attack.
Keep exploring
Frequently asked questions
- What is the highest CVSS score?
- The maximum CVSS score is 10.0, which falls in the Critical band (9.0 to 10.0). A vector like CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores 9.8.
- What CVSS score is considered critical?
- In CVSS v3.x and v4.0, any score from 9.0 to 10.0 is rated Critical. CVSS v2.0 did not have a Critical band; its top rating was High (7.0 to 10.0).
- Does a score of 0.0 mean the vulnerability is safe?
- A 0.0 maps to None, meaning CVSS measured no direct impact. It does not always mean the issue is harmless, since it may still matter when chained with other weaknesses.
- Are the severity bands the same in every CVSS version?
- No. CVSS v3.0, v3.1, and v4.0 share the same five bands, but v2.0 used only Low, Medium, and High with different ranges and no None or Critical.
