CVSS versions explained: 2.0, 3.0, 3.1, and 4.0
Last reviewed June 2, 2026
CVSS has had four major versions. Version 2.0 used a coarse three-rating scale; version 3.0 (2015) added the None and Critical ratings and the Scope metric; version 3.1 (2019) clarified v3.0 and is the most widely published; and version 4.0 (2023) added Attack Requirements, split impact metrics, and a new scoring model. Tools still surface several versions, so it helps to know each one.
The CVSS version timeline
| Version | Released | Headline changes |
|---|---|---|
| 2.0 | 2007 | Three ratings (Low/Medium/High); metrics AV, AC, Au, C, I, A; no None or Critical |
| 3.0 | 2015 | Added None and Critical ratings, Scope metric, Privileges Required and User Interaction |
| 3.1 | 2019 | Clarified v3.0 wording and scoring; most widely published version |
| 4.0 | 2023 | Added Attack Requirements, split impact (VC/VI/VA + SC/SI/SA), MacroVector model |
CVSS 2.0: the original baseline
Released in 2007, CVSS v2.0 established the 0.0 to 10.0 scale but used only three qualitative ratings: Low, Medium, and High. Its Base metrics were Access Vector (AV), Access Complexity (AC), Authentication (Au), and the Confidentiality, Integrity, and Availability impacts. It had no None rating and no Critical rating, which made it hard to distinguish merely serious flaws from the most dangerous ones.
CVSS 3.0 and 3.1: the modern model
CVSS v3.0 arrived in 2015 and reworked the model significantly. It introduced the None and Critical ratings, replaced Authentication with Privileges Required, added User Interaction, and introduced the Scope metric to capture impact crossing a security boundary. Version 3.1, released in 2019, did not change the formula much but clarified definitions and guidance, removing ambiguity that had caused inconsistent scoring.
Because v3.1 is a clarification rather than a redesign, it became the de facto standard and is still the most commonly published version across vulnerability databases.
CVSS 4.0: the current standard
Published in 2023, CVSS v4.0 keeps the 0.0 to 10.0 scale and the five v3.x severity bands but rebuilds how scores are produced. It adds an Attack Requirements (AT) metric, splits impact into vulnerable-system (VC, VI, VA) and subsequent-system (SC, SI, SA) metrics, expands User Interaction to None, Passive, and Active, and replaces the formula with a MacroVector lookup model. It also adds optional Supplemental metrics for context like Safety and Automatable.
Which version will you see?
In modern data you will most often encounter v3.1, with v4.0 appearing increasingly as vendors adopt it. Older records still carry v2.0 scores. Always read the version prefix on a vector before interpreting it, and avoid comparing scores across versions as if they were identical, since the metrics and math differ.
Keep exploring
Frequently asked questions
- How many versions of CVSS are there?
- There are four major versions: 2.0 (2007), 3.0 (2015), 3.1 (2019), and 4.0 (2023). Versions 3.0 and 3.1 are closely related, with 3.1 mainly clarifying 3.0.
- What is the most widely used CVSS version?
- CVSS v3.1, released in 2019, is the most widely published version and remains common across vulnerability databases even after v4.0 was released.
- What is the difference between CVSS 3.0 and 3.1?
- Version 3.1 did not change the core formula. It clarified definitions and scoring guidance from 3.0 to reduce inconsistent scoring, which is why the two share the same severity bands.
- Did CVSS 2.0 have a Critical rating?
- No. CVSS v2.0 had only Low, Medium, and High ratings. The None and Critical ratings were introduced in CVSS v3.0.
