Skip to content
FortaRisks
Back to the glossaryThreat intelligence

CVSS

The CVSS (Common Vulnerability Scoring System) is the open standard that assigns a vulnerability a severity score from 0 to 10. It breaks severity into objective criteria (attack vector, complexity, impact) to compare flaws on a common scale, independent of the vendor.

Updated on July 2, 2026

What is CVSS?

CVSS, the Common Vulnerability Scoring System, is an open framework maintained by FIRST (Forum of Incident Response and Security Teams). It provides a standardized method to assess the severity of a vulnerability and summarize it into a numeric score from 0 to 10, along with a vector that details how that score was derived.

The score is built from several metric groups: base metrics (intrinsic characteristics of the flaw), temporal metrics (change over time) and environmental metrics (tailoring to your context). In practice, it is most often the base score that is published and used.

Why it matters for your organization

CVSS offers a common language to talk about severity. It lets you compare very different vulnerabilities on a single scale and set simple rules, for example prioritizing everything above a certain threshold.

Its strength is also its limit: it measures potential severity, not the actual risk to your organization. A critical flaw on an isolated, unexposed system can be less urgent than a medium flaw on an exposed server under active attack.

Using CVSS well

  • As a starting point, not as the final prioritization verdict.
  • Apply environmental metrics to reflect your real context.
  • Cross-reference with EPSS to factor in the likelihood of exploitation.
  • Check the CISA KEV catalog to flag confirmed exploitation.

Where organizations most often fall short

The most common trap is treating the base score as an absolute directive and mechanically patching every "critical" flaw first. This approach ignores context and likelihood of exploitation, scatters effort, and leaves lower-scored but genuinely dangerous flaws open.

Frequently asked questions

What do the CVSS score levels mean?

The score runs from 0 to 10 and maps to levels: low (0.1 to 3.9), medium (4.0 to 6.9), high (7.0 to 8.9) and critical (9.0 to 10.0). These thresholds help triage, but a high score does not mean a flaw is actually exploited: it is a measure of potential severity, not of likelihood.

Should you prioritize patching by CVSS alone?

No. CVSS measures intrinsic severity, but not the likelihood of exploitation. Robust prioritization combines CVSS with EPSS (likelihood of exploitation) and the CISA KEV catalog (confirmed exploitation), as well as your own environment context through CVSS environmental metrics.

Related resources

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.