Reading CVSS severity at a glance
CVSS (Common Vulnerability Scoring System) v3.1 produces a numeric base score from 0.0 to 10.0 that captures the intrinsic severity of a vulnerability. To make prioritisation easy, scores map to five qualitative ratings. This reference lists those bands and the eight base metrics, and includes a classifier that returns the rating for any score you enter.
How it works
The base score is computed from two sub-scores. Exploitability is built from Attack Vector, Attack Complexity, Privileges Required and User Interaction; Impact is built from Confidentiality, Integrity and Availability. The Scope metric decides how those combine. The final value is rounded up to one decimal place, then placed in a band:
0.0 None
0.1 – 3.9 Low
4.0 – 6.9 Medium
7.0 – 8.9 High
9.0 – 10.0 Critical
Because rounding is always upward, a raw value such as 8.81 becomes 8.9 and
stays High, while 8.91 becomes 9.0 and crosses into Critical.
Understanding the eight base metrics
Each base metric contributes to either the Exploitability or Impact sub-score.
Exploitability metrics describe how difficult the vulnerability is to attack:
- Attack Vector (AV) — How can the attacker reach the vulnerable component? Network (N) is the easiest; Physical (P) requires hands-on access. Network vulnerabilities are riskier because they are reachable from the internet, raising the score.
- Attack Complexity (AC) — Does the attack require special conditions beyond the attacker’s control? Low complexity means the attacker can reliably reproduce the attack; High means they depend on something unpredictable, like a race condition.
- Privileges Required (PR) — What level of authenticated access does the attacker need before the attack? None is highest risk; High (admin access required) is the lowest.
- User Interaction (UI) — Must a legitimate user take an action for the attack to succeed? None means the attacker acts alone; Required means a user must click something or visit a page.
Impact metrics describe what a successful attack does to the affected component:
- Confidentiality (C) — Can the attacker read data? High means all data is exposed; None means no data is disclosed.
- Integrity (I) — Can the attacker modify data or functionality? High means complete write access; None means no modification is possible.
- Availability (A) — Can the attacker disrupt service? High means total denial of service; None means availability is unaffected.
Scope (S) — This metric is unique. It captures whether a vulnerability in one component can affect resources in another security domain. A Changed scope, such as a hypervisor escape affecting the host, substantially raises the score because impact spills beyond the vulnerable component.
How to use CVSS scores in practice
CVSS Base scores are useful for comparison and prioritisation across a vulnerability backlog, not as an absolute measure of risk to your specific environment. A Critical-rated library vulnerability may be unexploitable in your deployment if the vulnerable code path is never called. Conversely, a Medium-rated vulnerability in an authentication endpoint may be your highest-priority fix because of what it protects.
For this reason, security teams pair Base scores with Temporal scores (adjusted for exploit maturity and patch availability) and Environmental scores (adjusted for compensating controls and asset criticality). Both can only lower the Base score, never raise it.
A typical triage policy groups remediation timelines by rating:
- Critical — emergency out-of-band patch, usually within 24–72 hours
- High — next sprint or patch cycle, usually within 30 days
- Medium — scheduled within 90 days, or accepted with documented compensating controls
- Low and None — tracked and addressed in normal maintenance windows
Tips and notes
- A score of exactly
0.0is the only value rated None — it is informational and typically represents a vulnerability that cannot be exploited in any meaningful way. - Critical (9.0+) findings usually warrant emergency patching outside normal cycles.
- The Base score is constant across deployments; Temporal and Environmental metrics refine it to your context.
- Build full vector strings and compute scores from individual metric values using the official FIRST.org CVSS v3.1 calculator.
- The NVD (National Vulnerability Database) publishes CVSS Base scores for all registered CVEs — this reference helps you interpret what those scores mean.