CVSS (Common Vulnerability Scoring System)
CVSS is the industry-standard formula for converting a vulnerability's properties into a 0-10 severity score.
Definition
The Common Vulnerability Scoring System (CVSS) is a vendor-neutral scoring framework maintained by FIRST.org. It takes a structured description of a vulnerability — attack vector, privileges required, attack complexity, the impact on Confidentiality / Integrity / Availability, plus optional temporal and environmental modifiers — and produces a numeric base score on a 0.0 to 10.0 scale. The score maps to a severity bucket (None / Low / Medium / High / Critical).
CVSS is widely adopted but widely critiqued. Two famous CVEs with identical CVSS scores can have radically different real-world impact; conversely, score 7.5 can hide trivially exploitable RCE in a hot product (Log4Shell scored 10.0 but plenty of equally serious bugs scored lower). The score is best read alongside KEV, EPSS, and your own threat model — not as the sole prioritisation signal.
How it works
The current widely-deployed versions are 3.0 / 3.1 (NVD's primary scoring) and 4.0 (released 2023, slowly being adopted). A score is computed from a structured "vector" string: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` for the maximum 10.0. Our CVSS calculator at `/cvss` accepts a vector via URL and renders the score plus its component-by-component breakdown.
Mitigation
Not applicable.
Examples
- CVE-2021-44228 (Log4Shell) — CVSS v3.1 base score 10.0.
- CVE-2014-0160 (Heartbleed) — CVSS v3.x base score 7.5 (high, not critical, despite the impact).