Definition
The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of security vulnerabilities.
Overview
The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of security vulnerabilities. By assigning numerical scores, CVSS helps organizations understand potential impact, prioritize remediation, and make consistent security decisions. Widely adopted across the cybersecurity industry, the CVSS Common Vulnerability Scoring System enables teams to communicate about risks using a common language.
What is the Common Vulnerability Scoring System (CVSS)?
CVSS is an open and vendor-neutral standard that assigns severity scores to software vulnerabilities. The system is maintained by the Forum of Incident Response and Security Teams (FIRST) and is used by security professionals, IT teams, and product vendors to ensure vulnerability information is measured and compared consistently.
In other words, when people ask “what is the Common Vulnerability Scoring System?”, CVSS provides the answer: a universal, vendor-neutral way to measure the severity of software vulnerabilities. The goal of CVSS is to translate the technical details of a vulnerability into an easily interpretable score, so decision-makers can allocate resources and respond effectively.
Why CVSS Matters in Cybersecurity
Security teams often face an overwhelming number of vulnerabilities, and not all flaws carry the same level of risk. Without a standard scoring method, it would be difficult to determine which issues to address first. CVSS provides consistency across vendors and tools, clarity when communicating risks to business stakeholders, and prioritization so the most dangerous vulnerabilities are remediated quickly.
In practice, CVSS is often paired with vulnerability scanning tools that detect flaws across applications and infrastructure. Together, scanning and scoring give teams the visibility and context they need to take action without guesswork.
Components of the CVSS Score
CVSS scores are based on three sets of metrics—base, temporal, and environmental—which together provide a complete view of a vulnerability’s severity, how its risk profile may change, and how relevant it is to a specific organization.
Base metrics
The base metrics define the intrinsic qualities of a vulnerability that remain constant over time. They measure factors such as whether the flaw can be exploited remotely or requires physical access, the complexity of the attack, and the privileges an attacker must have. Base metrics also assess the impact on confidentiality, integrity, and availability. For example, a flaw that allows unauthorized disclosure of sensitive data would score highly on confidentiality, while a denial-of-service issue that disrupts system uptime would score highly on availability. These measures create a universal baseline severity rating.
Temporal metrics
The temporal metrics adjust the base score to reflect conditions that change over time. A vulnerability may be rated more severe if exploit code becomes publicly available, if remediation is immature, or if details are still uncertain. For instance, a flaw with no known exploits and an effective patch available would score lower than one with widely distributed proof-of-concept code and no fix. Temporal metrics provide a realistic snapshot of risk at a given moment.
Environmental metrics
The environmental metrics allow organizations to adapt CVSS scores to their specific context. They account for the value of affected assets, business priorities, and the importance of confidentiality, integrity, and availability within a particular system. As a result, the same vulnerability may score higher in a financial institution—where data confidentiality is critical—than in another environment where availability matters more. Environmental metrics ensure that CVSS reflects not just theoretical severity but real-world impact.
Together, these three sets of metrics balance universal scoring with contextual flexibility, ensuring vulnerabilities can be communicated consistently while still aligning with organizational realities.
How CVSS Scores are Calculated
The CVSS formula combines base, temporal, and environmental metrics into a numerical score ranging from 0.0 to 10.0. A score of 0.0 indicates no severity, 0.1 to 3.9 is considered low, 4.0 to 6.9 is medium, 7.0 to 8.9 is high, and 9.0 to 10.0 is critical.
For example, a remote code execution vulnerability with low attack complexity and high impact on availability may receive a score above 9.0. This critical rating signals that immediate remediation is needed.
Versions of CVSS
Since its introduction in 2005, the Common Vulnerability Scoring System has evolved through several major revisions, each designed to address gaps in earlier versions and to keep pace with modern cybersecurity threats.
CVSS v1 was the initial release, developed as a proof of concept to create a common language for rating vulnerabilities. It introduced the idea of base, temporal, and environmental metrics but was not widely adopted outside research and standards communities.
CVSS v2, released in 2007, became the first version to gain widespread adoption. It established standardized scoring and enabled security vendors, researchers, and enterprises to use a common severity scale. However, v2 lacked nuance in representing complex attack scenarios. For example, it struggled to differentiate effectively between local and remote attacks, and its scoring often did not align with the real-world risk organizations faced.
CVSS v3, introduced in 2015, addressed many of those limitations. It expanded the base metrics to better capture how vulnerabilities could be exploited, refined privilege requirements and user interaction measures, and clarified how to evaluate impact across confidentiality, integrity, and availability. These changes made scores more representative of real-world conditions and improved their usefulness for prioritization.
CVSS v3.1, published in 2019, did not alter the underlying formula but focused on improving clarity and consistency. The update standardized terminology, reduced ambiguity in metric interpretation, and provided better guidance for applying scores. This refinement helped align practices across vendors, government agencies, and enterprises, ensuring CVSS was used more consistently at scale.
Looking ahead, the CVSS Special Interest Group (SIG) within FIRST continues to refine the framework to reflect emerging challenges, such as vulnerabilities in cloud-native applications, container environments, and modern supply chains. These developments are especially valuable when combined with methods like software composition analysis (SCA), which provide deeper visibility into risks associated with open-source and third-party components. Each revision strengthens the system’s reliability and ensures it remains relevant in today’s rapidly evolving cybersecurity landscape.
Limitations of CVSS
Although CVSS is a valuable tool, it has limitations. Scores can oversimplify complex vulnerabilities, and they cannot always capture an organization’s unique context. In some cases, a high CVSS score may represent little actual risk if the affected component is rarely used.
To address these gaps, security teams often supplement CVSS with other methods such as threat intelligence, business impact analysis, and software composition analysis (SCA). These approaches provide additional context, particularly when managing risks from open-source and third-party components.
CVSS vs. EPSS: Severity vs. Likelihood
The primary difference between these two systems lies in what they are designed to measure.
- CVSS (Severity): Focuses on the inherent characteristics of a vulnerability—how much damage it could do if it were successfully exploited. It answers the question: “How bad is this?”.
- EPSS (Likelihood): Uses a data-driven machine learning model to estimate the probability that a vulnerability will actually be exploited in the wild within the next 30 days. It answers the question: “How likely is this to happen?”.
Key Comparison
| Feature | CVSS | EPSS |
|---|---|---|
| Primary Goal | Measures technical severity | Predicts exploitation probability |
| Score Range | 0.0 to 10.0 | 0 to 1 (0% to 100%) |
| Update Frequency | Static (unless a new version is released) | Dynamic (updated daily) |
| Data Source | Technical specifications of the flaw | Real-world threat telemetry and ML |
| Feature | CVSS | EPSS |
| Primary Goal | Measures technical severity | Predicts exploitation probability |
| Score Range | 0.0 to 10.0 | 0 to 1 (0% to 100%) |
| Update Frequency | Static (unless a new version is released) | Dynamic (updated daily) |
| Data Source | Technical specifications of the flaw | Real-world threat telemetry and ML |
Why Use Both?
Relying solely on CVSS can lead to “vulnerability fatigue” because many vulnerabilities withCritical(9.0+) scores are never actually targeted by attackers in the real world. Conversely, some Medium severity vulnerabilities might be under active attack, requiring urgent attention.
By combining these scores, organizations can categorize vulnerabilities into a four-quadrant matrix to make smarter patching decisions:
- High CVSS + High EPSS: Immediate Action. These are dangerous flaws that attackers are actively trying to use.
- High CVSS + Low EPSS: Monitor. These are theoretically dangerous but lack current evidence of real-world exploitation.
- Low CVSS + High EPSS: Investigate. These might be part of an attack chain where attackers use minor flaws to gain a foothold.
- Low CVSS + Low EPSS: Deprioritize. These pose the least amount of immediate risk to the organization.
CVSS and JFrog
CVSS scores provide a foundation for prioritization. They help teams determine which vulnerabilities to patch first, communicate urgency to business stakeholders, and integrate findings into automated vulnerability management programs. When contextualized with organizational priorities, CVSS enables a shift from reactive patching toward structured, proactive security strategies.
While CVSS is an industry standard, its full value is realized when integrated into modern DevSecOps workflows. JFrog Xray, part of the JFrog Platform, leverages CVSS scoring to identify and prioritize vulnerabilities across the software supply chain. JFrog also has a dedicated Security Research team of security engineers and researchers who are committed to advancing software security through discovery, analysis, and exposure of new vulnerabilities and attack methods. See the latest CVE analyses here.
By combining CVSS data with rich metadata, dependency analysis, and policy enforcement, JFrog enables teams to turn raw scores into actionable security decisions. This integration helps organizations manage vulnerabilities at scale, maintain compliance, and embed security throughout the software development lifecycle. With JFrog, CVSS is not just a number—it becomes a driver for trusted, automated, enterprise-ready security.
For more information, please visit our website, take a virtual tour, or set up a one-on-one demo at your convenience.
