Common Vulnerability Scoring System (CVSS)

Sec+ Glossary 📖 • Vulnerabilities 🚨 • Security Operations 🛡️ • Difficulty: free

What is Common Vulnerability Scoring System (CVSS)?

CVSS is a standardized way to rate the severity of a vulnerability on a scale from 0.0 to 10.0. It uses defined metrics to describe how easy exploitation is and how much impact it could have if exploited.

Examples

A remote code execution flaw in an internet-facing service receives a CVSS base score of 9.8, helping the team treat it as urgent.
A local privilege escalation bug scores 7.8, but the team deprioritizes it because the affected servers are tightly locked down and not exposed.

Discover 🔎

When a new vulnerability is announced, security teams need a consistent way to answer: how bad is this, and how fast should we act? CVSS provides a common scoring language so different organizations can start from the same baseline. The score is useful, but it is not the final answer. Real priority depends on your environment, exposure, and business impact.

Remember: CVSS is a severity score, not a risk score. It describes the vulnerability in general, not how dangerous it is in your specific environment.

Summary 📝

CVSS gives a consistent baseline severity score for vulnerabilities and explains the assumptions through a vector. Use it to communicate urgency and compare issues, but do not treat it as a complete risk measure. Combine CVSS with exposure, asset criticality, and real exploit activity to make smart patch decisions.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.