The CVSS score (Common Vulnerability Scoring System) has become the global standard for quantifying the severity of a security vulnerability. Used by NIST, software vendors and security teams worldwide, it enables objective patch prioritisation.
Severity Levels
| CVSS Score | Severity | Recommended Action |
|---|---|---|
| 9.0 – 10.0 | CRITICAL | Immediate patch (< 24h) |
| 7.0 – 8.9 | HIGH | Urgent patch (< 7 days) |
| 4.0 – 6.9 | MEDIUM | Schedule the patch |
| 0.1 – 3.9 | LOW | Address when resources allow |
The Three Evaluation Axes (CVSS 3.1)
1. Exploitability (Base Score)
The base vector measures the intrinsic characteristics of the vulnerability:
- Attack Vector (AV): How can the attacker reach the target? Network (N), Adjacent (A), Local (L) or Physical (P). Network access yields the highest score.
- Attack Complexity (AC): Is the attack simple (L) or complex (H) to carry out?
- Privileges Required (PR): None (N), Low (L) or High (H)?
- User Interaction (UI): Does the attack require an action from the victim?
2. Scope
The Scope (S) parameter indicates whether the vulnerability can impact components beyond the targeted system. A CVE that can escape a Docker container and compromise the host, for example, will have a Changed scope — which significantly raises the score.
3. Impact (CIA)
Impact is measured across three dimensions:
- Confidentiality (C): Can data be disclosed?
- Integrity (I): Can data be tampered with?
- Availability (A): Can the service be disrupted?
Real-World Example: Log4Shell (CVE-2021-44228)
CVSS 3.1 Score: 10.0 (CRITICAL)
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Translation:
- AV:N → Remotely exploitable over the internet
- AC:L → Very simple to exploit (no special conditions)
- PR:N → No privileges required
- UI:N → No user interaction required
- S:C → Scope Changed — can compromise other components
- C:H / I:H / A:H → Full impact on confidentiality, integrity and availability
Perfect score of 10.0 — the worst case possible.
CVSS v2 vs v3.0 vs v3.1
Version 3.1 is the most recent and most accurate. It fixes some counter-intuitive behaviours in v3.0 and refines score granularity. v2, still present on older CVEs, uses a different methodology — its scores cannot be directly compared to v3 scores.
On cveo.tech, every CVE displays the version used (v3.1, v3.0 or v2) and the full vector, for complete transparency.
Limitations of CVSS
CVSS is an excellent prioritisation tool, but it has limitations:
- It doesn't account for your context: a 9.8 score on a service not exposed to the internet is less critical than a 7.0 directly reachable.
- It doesn't measure exploitation probability: complementary metrics like EPSS (Exploit Prediction Scoring System) help estimate whether a CVE is being actively exploited in the wild.
- Scores can change: a CVE may have its score revised upward after deeper analysis.
Conclusion
Understanding CVSS is essential for effective security triage. Use it as a starting point, combined with knowledge of your actual exposure.
You can search any CVE and view its full CVSS score on cveo.tech.