The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It captures the principal technical aspects of a vulnerability and produces a numerical score ranging from 0 to 10, which is then translated into a qualitative severity rating—None, Low, Medium, High, or Critical—to help organizations prioritize remediation efforts.
Glossary
Common Vulnerability Scoring System (CVSS)

What is Common Vulnerability Scoring System (CVSS)?
An open industry standard for assessing the principal technical severity of software vulnerabilities, producing a numerical score reflecting their characteristics and impact.
CVSS is composed of three metric groups: Base, which captures intrinsic qualities that are constant over time; Temporal, which reflects characteristics that change over the lifecycle of the vulnerability; and Environmental, which allows an organization to customize the score based on their specific IT environment and compensating controls. The current version, CVSS v4.0, introduces supplemental metrics like Automatable and Recovery to provide finer granularity for security operations teams.
Key Characteristics of CVSS
The Common Vulnerability Scoring System (CVSS) provides a standardized, repeatable methodology for quantifying the principal technical severity of software vulnerabilities. It captures the fundamental characteristics of a vulnerability and produces a numerical score reflecting its potential impact.
Base, Temporal, and Environmental Metric Groups
CVSS decomposes severity into three distinct metric groups to provide layered context:
- Base Metrics: Intrinsic qualities of a vulnerability that are constant over time and across user environments. This includes Attack Vector (AV) , Attack Complexity (AC) , and Confidentiality/Integrity/Availability (CIA) Impact.
- Temporal Metrics: Characteristics that evolve over the lifecycle of the vulnerability, such as the availability of exploit code (Exploit Code Maturity - E) or an official fix (Remediation Level - RL).
- Environmental Metrics: Customizable modifiers that reflect the specific importance of the affected asset to an organization, allowing analysts to adjust Confidentiality Requirement (CR) and other impact metrics.
The CVSS Vector String
The score is derived from a compact text representation known as the CVSS Vector String. This machine-readable string encodes all selected metric values, providing a complete, transparent audit trail of how the score was calculated.
- Example:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - This string explicitly defines the vulnerability as Network exploitable (AV:N) with Low attack complexity (AC:L) and No privileges required (PR:N) , leading to a High impact on all three CIA pillars.
- The vector string enables automated, deterministic parsing by vulnerability scanners and ensures reproducibility across different tools.
Qualitative Severity Rating Scale
To make numerical scores immediately actionable, CVSS maps quantitative ranges to a qualitative severity scale for triage prioritization:
- None: 0.0
- Low: 0.1 - 3.9
- Medium: 4.0 - 6.9
- High: 7.0 - 8.9
- Critical: 9.0 - 10.0 A vulnerability scoring a 9.8 is classified as Critical and typically demands immediate remediation within a 24-hour window, whereas a 5.5 is Medium and can be scheduled into a standard patch cycle.
Scope Metric and Privilege Escalation
A pivotal Base Metric, Scope (S) , captures whether a vulnerability in one software component can impact resources beyond its intended security authority.
- Unchanged (S:U) : The vulnerable component and the impacted component are the same, meaning the attack is contained within a single security boundary.
- Changed (S:C) : The vulnerability allows the attacker to escape the component's sandbox and affect a different component, such as breaking out of a virtual machine to access the hypervisor. When Scope is Changed, the impact sub-score is weighted more heavily, reflecting the severity of a privilege escalation or container breakout.
CVSS v3.1 vs. v4.0 Evolution
The framework has evolved to address scoring ambiguities and new attack vectors:
- CVSS v3.1: The current industry standard, which introduced the Scope metric and refined the scoring formula to better represent real-world impact.
- CVSS v4.0: The next-generation standard that supplements the Base Score with new supplemental metrics like Automatable (A) , Recovery (R) , and Value Density (V) . It also introduces a Vulnerability Response (VR) metric to signal the urgency of remediation.
- The shift to v4.0 aims to provide finer granularity for OT/ICS environments and safety-critical systems where traditional IT impact metrics are insufficient.
FIRST Org and Scoring Governance
CVSS is maintained and governed by the Forum of Incident Response and Security Teams (FIRST) , ensuring vendor-neutral, community-driven evolution.
- The CVSS Special Interest Group (SIG) manages the standard's development, publishes official documentation, and provides a reference calculator.
- Organizations like the NIST National Vulnerability Database (NVD) act as primary aggregators, enriching CVE records with CVSS Base Scores to provide a consistent baseline for global vulnerability management programs.
- This governance model prevents proprietary scoring inflation and ensures that a Critical rating from one vendor is mathematically equivalent to a Critical rating from another.
Frequently Asked Questions
Clear, technical answers to the most common questions about the Common Vulnerability Scoring System, its mechanics, and its role in vulnerability management.
The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the principal technical severity of software vulnerabilities, producing a numerical score from 0 to 10 that reflects their intrinsic characteristics and impact. It works by evaluating a vulnerability across three metric groups: Base, Temporal, and Environmental. The Base metric group captures the constant, intrinsic qualities of the vulnerability, such as attack vector, complexity, and impact on confidentiality, integrity, and availability. The Temporal group adjusts the score based on factors that change over time, like the availability of exploit code or an official patch. The Environmental group allows an organization to customize the score based on its specific IT environment, modifying Base metrics according to the criticality of the affected asset and compensating security controls. A formula combines these metrics to generate a vector string and a final score, which is then mapped to a qualitative severity rating: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), or Critical (9.0-10.0).
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
CVSS scores are operationalized through a suite of complementary standards and frameworks that govern how vulnerabilities are identified, prioritized, and remediated across the software supply chain.
Software Composition Analysis (SCA)
An automated process for identifying open-source components in a codebase and cross-referencing them against vulnerability databases. SCA tools ingest NVD feeds and apply CVSS scores to prioritize findings. Modern SCA goes beyond simple version matching to determine reachability analysis—whether the vulnerable function is actually called by the application—refining the effective severity beyond the base score.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us