What is CVSS? The Common Vulnerability Scoring System explained
Last reviewed June 2, 2026
CVSS, the Common Vulnerability Scoring System, is an open industry standard for rating the severity of software vulnerabilities. It produces a numeric score from 0.0 to 10.0, derived from a set of metrics describing how a flaw can be exploited and its impact. The score maps to a qualitative rating from None to Critical.
What CVSS measures
CVSS is maintained by FIRST (the Forum of Incident Response and Security Teams) and is the most widely used way to communicate how severe a software vulnerability is. Instead of vague labels, it turns a set of characteristics about a flaw into a single number between 0.0 and 10.0.
That score is not a measure of risk by itself. CVSS describes the intrinsic severity of a vulnerability, such as how easy it is to attack and what damage it could cause. Real-world risk also depends on whether the flaw is being exploited and how exposed your specific systems are.
How a CVSS score is built
A CVSS score is calculated from metric groups. The Base group captures the constant qualities of a vulnerability, such as the attack vector, complexity, required privileges, and the impact on confidentiality, integrity, and availability. Optional Temporal (Threat in 4.0) and Environmental groups adjust the Base score for current conditions and your own environment.
- Base metrics: the intrinsic, unchanging characteristics of the flaw.
- Temporal / Threat metrics: factors that change over time, such as exploit maturity.
- Environmental metrics: how the flaw matters in your specific deployment.
An example score
Consider a remotely exploitable flaw that needs no privileges or user interaction and fully compromises confidentiality, integrity, and availability. Its CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which produces a Base score of 9.8 and a Critical rating. That is roughly the worst-case profile a single vulnerability can have.
Why CVSS matters
CVSS gives teams a common language. The same vulnerability scored by a vendor, a national database, and your own analysts should land in the same range, which makes triage, compliance reporting, and service-level agreements possible across organizations.
Because CVSS measures severity rather than likelihood, mature programs pair it with exploitation signals like EPSS and the CISA KEV catalog to decide what to patch first.
Keep exploring
- CVSS calculatorBuild a vector and compute a score interactively.
- CVSS severity levelsWhat None, Low, Medium, High, and Critical mean.
- How to read a CVSS vectorDecode the AV/AC/PR/UI metrics in a vector string.
- What is EPSS?The exploitation-probability score that complements CVSS.
- CVE vs CVSSIdentifier versus severity score.
Frequently asked questions
- What does CVSS stand for?
- CVSS stands for the Common Vulnerability Scoring System, an open standard maintained by FIRST for rating the severity of software vulnerabilities.
- What is a good CVSS score?
- Lower is better. A score of 0.0 means no measurable impact, while 9.0 to 10.0 is Critical. There is no universally good score; the goal is to understand and remediate the higher ones first.
- Is CVSS the same as risk?
- No. CVSS measures the intrinsic severity of a vulnerability. Risk also depends on exploitation likelihood and how exposed your specific assets are, which is why teams pair CVSS with EPSS and the KEV catalog.
- Who created CVSS?
- CVSS was originally developed under the U.S. National Infrastructure Advisory Council and is now maintained and published by FIRST, with input from a broad special interest group.
