CVSS (Common Vulnerability Scoring System)
What is CVSS (Common Vulnerability Scoring System)?
CVSS (Common Vulnerability Scoring System)An open framework, maintained by FIRST, that produces a 0–10 severity score for a vulnerability based on its exploitation characteristics and impact.
CVSS rates vulnerabilities through three metric groups: Base (intrinsic properties like attack vector, complexity, privileges required, and CIA impact), Temporal/Threat (exploit maturity, remediation), and Environmental (adjusted for the specific deployment). The Base score, expressed both numerically and as a vector string, is what most CVE entries publish. CVSS v3.1 dominates today and v4.0 refines metrics for IoT and supplemental severity. Scores must be combined with business context, asset criticality, and EPSS or CISA KEV signals — a high CVSS does not always mean high real-world risk, and a low CVSS may still be critical in a specific environment.
● Examples
- 01
CVE-2021-44228 (Log4Shell) — CVSS v3.1 Base 10.0 (Critical).
- 02
CVE-2014-0160 (Heartbleed) — CVSS v2 Base 5.0 (Medium).
● Frequently asked questions
What is CVSS (Common Vulnerability Scoring System)?
An open framework, maintained by FIRST, that produces a 0–10 severity score for a vulnerability based on its exploitation characteristics and impact. It belongs to the Vulnerabilities category of cybersecurity.
What does CVSS (Common Vulnerability Scoring System) mean?
An open framework, maintained by FIRST, that produces a 0–10 severity score for a vulnerability based on its exploitation characteristics and impact.
How do you defend against CVSS (Common Vulnerability Scoring System)?
Defences for CVSS (Common Vulnerability Scoring System) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CVSS (Common Vulnerability Scoring System)?
Common alternative names include: CVSS score.