CVSS (Common Vulnerability Scoring System) is the open, industry-standard framework — maintained by FIRST.org — for rating the severity of a security vulnerability on a 0 to 10 scale. The score is calculated from a transparent set of metrics describing how the vulnerability is exploited and what impact it has, and it is expressed as both a number and a human-readable vector string, so two analysts scoring the same flaw arrive at the same result.

What do the CVSS severity ratings mean?

CVSS maps the 0–10 score to five qualitative bands: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0). A Critical finding is typically remotely exploitable with no privileges or user interaction and full impact on data — the kind you fix immediately. A Low finding has limited impact or demanding preconditions. The bands let non-specialists prioritize at a glance.

What is the difference between CVSS 3.1 and 4.0?

CVSS 4.0, released in 2023, refines the 3.1 model. It replaces the often-confusing Scope metric with clearer Attack Requirements, splits user interaction into more precise values, separates the score for the vulnerable system from any subsequent downstream systems, and adds Supplemental metrics (like automatable exploitation and recovery effort) for richer context. Both are in active use; 3.1 remains the most widely-referenced version while 4.0 adoption grows.

Is a high CVSS score always the most urgent thing to fix?

Not always. The CVSS Base score measures a vulnerability's intrinsic severity in isolation — it does not know whether the affected system holds your crown-jewel data or sits on an isolated internal segment. That is what the Environmental metrics and a tester's written impact analysis are for. We report the standard score for comparability, then add context so you prioritize by real business risk, not the number alone.

CVSS Explained: How We Score Vulnerability Severity

CVSS — the Common Vulnerability Scoring System — is the open, industry-standard way to rate how severe a vulnerability is, on a 0 to 10 scale. The score is derived transparently from a set of metrics describing how a flaw is exploited and what it impacts, and it is published as both a number and a vector string so anyone can see how it was reached. We score every finding in a penetration test with CVSS so your team can prioritize objectively — but the number is the start of the conversation, not the end of it.

If you have ever opened a security report and wondered why one issue is “9.8 Critical” and another is “5.3 Medium,” this guide explains exactly how those numbers are built and how to read them.

Why a standard exists

Before CVSS, every vendor and tester rated severity their own way, and “high” meant something different on every report. CVSS, maintained by FIRST.org (the Forum of Incident Response and Security Teams), fixes that by making severity reproducible: the same vulnerability, scored by two different analysts, produces the same number, because the inputs are explicit and the math is fixed. That comparability is the whole point — it lets you stack findings from different tools, vendors, and years against each other on one scale.

How a score is built: the vector string

A CVSS score is not a gut feeling; it is calculated from a vector string — a compact line that records every decision that went into the number. A classic worst-case example looks like this:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → 9.8, Critical

Each segment is a metric. The most important ones in the Base group are:

Attack Vector (AV) — how close the attacker must be. N (Network) means exploitable from anywhere on the internet; other values are Adjacent, Local, and Physical. Network-reachable flaws score highest.
Attack Complexity (AC) — how much has to line up for the exploit to work. L (Low) means it just works; H (High) means it depends on conditions outside the attacker’s control.
Privileges Required (PR) — what access the attacker needs first. N (None) is the worst case; L or H require an existing account.
User Interaction (UI) — whether a victim has to do something (click a link, open a file). N (None) means fully automated.
Scope / Attack Requirements — whether the impact stays within the vulnerable component or breaks out to affect other systems.
Confidentiality, Integrity, Availability (C/I/A) — the actual damage: can the attacker read data, change data, or take the system down? H/H/H is total impact.

Read the example above in plain English: exploitable from the internet, with no special conditions, no privileges, and no user interaction, resulting in full compromise of data confidentiality, integrity, and availability. That is why it lands at 9.8 — about as bad as it gets.

What the numbers mean

CVSS maps the 0–10 score onto five qualitative bands so non-specialists can triage at a glance:

Score	Severity
0.0	None
0.1 – 3.9	Low
4.0 – 6.9	Medium
7.0 – 8.9	High
9.0 – 10.0	Critical

In a report, Critical and High findings are the ones to fix first — they are typically the remotely-exploitable, high-impact issues. Medium findings usually require some precondition or deliver partial impact, and Low findings are minor or hard to exploit. The bands turn a technical score into a prioritization decision your team can act on immediately.

Beyond Base: Temporal/Threat and Environmental

The Base score measures a vulnerability’s intrinsic severity, assuming a generic environment. CVSS has two further metric groups that adjust it for reality:

Threat / Temporal — accounts for the current state of the world: is there a working public exploit, is it being actively exploited in the wild? A flaw with a weaponized exploit available is more urgent than a theoretical one.
Environmental — adjusts the score for your specific deployment. The same vulnerability is more severe on the server holding your customer database than on an isolated test box, and these metrics let the score reflect that.

This is the crucial nuance: the Base score does not know your business. A 7.5 on a system with no sensitive data may matter less to you than a 5.3 on your authentication service. We report the standard Base score for comparability, then layer in the environmental and written context so you prioritize by real risk.

CVSS 3.1 vs 4.0

You will see both versions in the wild. CVSS 3.1 is still the most widely-referenced standard. CVSS 4.0 (2023) refines the model: it replaces the often-misunderstood Scope metric with clearer Attack Requirements, makes User Interaction more precise, cleanly separates impact on the vulnerable system from impact on subsequent systems downstream, and adds Supplemental metrics — extra context like whether exploitation can be automated or how hard recovery is — that inform a decision without changing the core number. Both express severity on the same 0–10 scale, so they remain comparable for prioritization.

Why we score, and why it isn’t the last word

We attach a CVSS score and full vector string to every finding for two reasons: it makes our reports objective and comparable — you can see precisely why a rating is what it is — and it gives your team an instant, defensible priority order. But a score is a model, not a verdict. The most useful security report pairs the standard number with a plain-language explanation of what the issue means for you, and a concrete fix. That combination — see our methodology for how we structure it — is what turns a severity rating into action.

For how we run a full assessment and what the report contains, see web application penetration testing and types of penetration testing.

The bottom line

CVSS is the shared language for vulnerability severity: a transparent 0–10 score, built from an explicit vector of metrics, that lets everyone prioritize on the same scale. Read the bands to triage, read the vector to understand why, and read the tester’s context to know what it means for your business. The number tells you how bad a flaw is in general; the context tells you how bad it is for you.

Want findings scored and explained this clearly? Get in touch.