CVSS (common vulnerability scoring system)
CVSS, the common vulnerability scoring system, is an open standard for rating how severe a software vulnerability is on a 0 to 10 scale. It turns the technical traits of a flaw into a number and a severity band, so teams can rank issues the same way across different tools and reports.
From traits to a single number.
A CVSS score is built from a vector string that records how a vulnerability behaves. The base metrics describe the flaw itself: how it is reached (attack vector), how hard it is to exploit, whether it needs privileges or user action, and what it does to confidentiality, integrity, and availability. Those values combine into one number.
The number maps to a named band, which is what most people read first. The version in wide use is CVSS v3.1, and v4.0 is the newer revision. A score is only as good as the context behind it, so the vector string matters as much as the figure. It shows exactly which assumptions produced the rating.
| Severity band | Score range | What it usually signals |
|---|---|---|
| None | 0.0 | No measurable impact under the scored conditions. |
| Low | 0.1 to 3.9 | Limited reach or hard to exploit. Fix when convenient. |
| Medium | 4.0 to 6.9 | Real risk worth scheduling into a release. |
| High | 7.0 to 8.9 | Serious. Plan a fix soon and check exposure. |
| Critical | 9.0 to 10.0 | Treat as urgent. Easy to exploit with heavy impact. |
What the score does and does not tell you.
It ranks, it does not decide
A CVSS base score measures the technical severity of a flaw in isolation. It does not know whether the affected page handles payments or sits behind a login. Your own environment decides the real priority, so a 7.5 on a public checkout matters more than the same score on an internal tool.
Base, temporal, environmental
CVSS has three metric groups. Base is the fixed nature of the flaw. Temporal adjusts for whether an exploit exists yet. Environmental lets you tune the score for your setup. Most tools report the base score, and you refine from there.
Read the vector string
The vector string, such as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, shows the choices behind a number. If a rating looks off, the vector is where you check the reasoning.
A shared language
Because CVSS is an open standard run by FIRST, a critical from one scanner means roughly the same as a critical from another. That makes scores easy to compare across reports and useful as evidence in a compliance file.
CVSS in an AuditWard report.
AuditWard's Analyst agent attaches a CVSS score and vector to each security finding, alongside a confidence score and any compliance tags. The score gives you a quick read on severity, and the vector and evidence let you sanity-check it against your own context. You can see how this fits the wider scan on the website security scanning pillar, or browse more terms in the glossary.
CVSS questions.
What does a CVSS score actually measure?
It measures the technical severity of a vulnerability on a 0 to 10 scale, based on how the flaw is reached and what it does to confidentiality, integrity, and availability. It rates the flaw itself, not how much it matters in your specific setup.
What is a high CVSS score?
Scores from 7.0 to 8.9 fall in the high band and 9.0 to 10.0 are critical. A high or critical finding is usually easy to exploit, hits sensitive data, or both, so it is worth fixing before lower-rated issues.
Does AuditWard give every finding a CVSS score?
AuditWard attaches a CVSS score and vector string to its security findings, next to a confidence score and any compliance tags. You get the number for triage and the vector and evidence so you can check the rating against your own context.