CVSS Score Reference

CVSS v3.1 severity ratings: None, Low, Medium, High, Critical.

Reference for CVSS v3.1 base score ranges and qualitative severity ratings with the eight base metrics, plus a live classifier that maps any 0.0–10.0 score to its rating. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What are the CVSS v3.1 severity ranges?

None is exactly 0.0, Low is 0.1 to 3.9, Medium is 4.0 to 6.9, High is 7.0 to 8.9 and Critical is 9.0 to 10.0. These qualitative bands let teams prioritise without reading the raw score.

Reading CVSS severity at a glance

CVSS (Common Vulnerability Scoring System) v3.1 produces a numeric base score from 0.0 to 10.0 that captures the intrinsic severity of a vulnerability. To make prioritisation easy, scores map to five qualitative ratings. This reference lists those bands and the eight base metrics, and includes a classifier that returns the rating for any score you enter.

How it works

The base score is computed from two sub-scores. Exploitability is built from Attack Vector, Attack Complexity, Privileges Required and User Interaction; Impact is built from Confidentiality, Integrity and Availability. The Scope metric decides how those combine. The final value is rounded up to one decimal place, then placed in a band:

0.0        None
0.1 – 3.9  Low
4.0 – 6.9  Medium
7.0 – 8.9  High
9.0 – 10.0 Critical

Because rounding is always upward, a raw value such as 8.81 becomes 8.9 and stays High, while 8.91 becomes 9.0 and crosses into Critical.

Understanding the eight base metrics

Each base metric contributes to either the Exploitability or Impact sub-score.

Exploitability metrics describe how difficult the vulnerability is to attack:

  • Attack Vector (AV) — How can the attacker reach the vulnerable component? Network (N) is the easiest; Physical (P) requires hands-on access. Network vulnerabilities are riskier because they are reachable from the internet, raising the score.
  • Attack Complexity (AC) — Does the attack require special conditions beyond the attacker’s control? Low complexity means the attacker can reliably reproduce the attack; High means they depend on something unpredictable, like a race condition.
  • Privileges Required (PR) — What level of authenticated access does the attacker need before the attack? None is highest risk; High (admin access required) is the lowest.
  • User Interaction (UI) — Must a legitimate user take an action for the attack to succeed? None means the attacker acts alone; Required means a user must click something or visit a page.

Impact metrics describe what a successful attack does to the affected component:

  • Confidentiality (C) — Can the attacker read data? High means all data is exposed; None means no data is disclosed.
  • Integrity (I) — Can the attacker modify data or functionality? High means complete write access; None means no modification is possible.
  • Availability (A) — Can the attacker disrupt service? High means total denial of service; None means availability is unaffected.

Scope (S) — This metric is unique. It captures whether a vulnerability in one component can affect resources in another security domain. A Changed scope, such as a hypervisor escape affecting the host, substantially raises the score because impact spills beyond the vulnerable component.

How to use CVSS scores in practice

CVSS Base scores are useful for comparison and prioritisation across a vulnerability backlog, not as an absolute measure of risk to your specific environment. A Critical-rated library vulnerability may be unexploitable in your deployment if the vulnerable code path is never called. Conversely, a Medium-rated vulnerability in an authentication endpoint may be your highest-priority fix because of what it protects.

For this reason, security teams pair Base scores with Temporal scores (adjusted for exploit maturity and patch availability) and Environmental scores (adjusted for compensating controls and asset criticality). Both can only lower the Base score, never raise it.

A typical triage policy groups remediation timelines by rating:

  • Critical — emergency out-of-band patch, usually within 24–72 hours
  • High — next sprint or patch cycle, usually within 30 days
  • Medium — scheduled within 90 days, or accepted with documented compensating controls
  • Low and None — tracked and addressed in normal maintenance windows

Tips and notes

  • A score of exactly 0.0 is the only value rated None — it is informational and typically represents a vulnerability that cannot be exploited in any meaningful way.
  • Critical (9.0+) findings usually warrant emergency patching outside normal cycles.
  • The Base score is constant across deployments; Temporal and Environmental metrics refine it to your context.
  • Build full vector strings and compute scores from individual metric values using the official FIRST.org CVSS v3.1 calculator.
  • The NVD (National Vulnerability Database) publishes CVSS Base scores for all registered CVEs — this reference helps you interpret what those scores mean.