What is CVSS? The Common Vulnerability Scoring System, explained
A plain-English guide to severity scores · all security terms → · updated June 2026
CVSS (Common Vulnerability Scoring System) rates how severe a vulnerability is on a scale from 0 to 10. It's the number you see next to almost every CVE — a quick, standard way to say "how bad is this flaw, in theory?" Published by FIRST.org, it's the industry default for severity.
What does CVSS stand for?
CVSS stands for Common Vulnerability Scoring System. Each vulnerability is scored on factors like how it can be reached (network, local), how hard it is to exploit, and the impact on confidentiality, integrity and availability — producing a single 0–10 number.
CVSS score bands
- 0.0 — None
- 0.1–3.9 — Low
- 4.0–6.9 — Medium
- 7.0–8.9 — High
- 9.0–10.0 — Critical
Higher is worse. IsItPatched uses these bands when scoring a version, weighting open Critical and High CVEs most heavily — see the formula.
Base, temporal & environmental scores
The base score rates the flaw's intrinsic severity and doesn't change. The temporal score adjusts for things like whether exploit code is public. The environmental score lets you tailor it to your own systems. The public number you usually see is the base score.
Why a high CVSS isn't always the priority
CVSS tells you severity, not urgency. A Critical-scored flaw that nobody is exploiting can wait behind a Medium one that's on CISA KEV (being attacked now) or has a high EPSS (likely to be soon). Real prioritisation combines all three.
See CVSS on the software you run
- Check your version — severity, KEV and the minimum safe version for any product.
- Actively exploited CVEs — where severity meets real-world exploitation.
Frequently asked questions
What is CVSS?
CVSS — the Common Vulnerability Scoring System — is a standard for rating the severity of a security vulnerability on a scale from 0 to 10. It is published by FIRST.org and gives each vulnerability a number and a qualitative band (Low, Medium, High, Critical) based on how it can be exploited and the impact if it is.
What does CVSS stand for?
CVSS stands for Common Vulnerability Scoring System. It is the most widely used way to express how severe a vulnerability is, and most CVEs carry a CVSS base score in the National Vulnerability Database (NVD).
What is a good or bad CVSS score?
CVSS bands are: 0.0 None, 0.1–3.9 Low, 4.0–6.9 Medium, 7.0–8.9 High, and 9.0–10.0 Critical. Higher is worse. A score of 9.0+ means a severe flaw that, if exploited, can have major impact.
What is the difference between CVSS base, temporal and environmental scores?
The base score rates the intrinsic severity of the flaw and never changes. The temporal score adjusts for factors like whether exploit code exists. The environmental score lets you tailor it to your own deployment. Most public scores you see are base scores.
Is a high CVSS score the most urgent to fix?
Not necessarily. CVSS measures severity in theory, not whether a flaw is actually being exploited. A Critical CVSS bug nobody is attacking can be less urgent than a Medium one on CISA KEV. Combine CVSS with KEV and EPSS to prioritise properly.
IsItPatched is independent and not affiliated with FIRST or NIST/NVD. CVSS is a standard maintained by FIRST.org. Always verify against your vendor's advisories — see our disclaimer.