Understanding CVSS Scores: The Complete Guide to Vulnerability Severity

Every vulnerability needs a severity rating. Without one, security teams are left guessing which issues to fix first, developers lack context for prioritization, and executives cannot assess risk. The Common Vulnerability Scoring System (CVSS) exists to solve this problem. It provides a standardized, vendor-neutral framework for rating the severity of software vulnerabilities on a scale from 0.0 to 10.0.

Whether you are reading a penetration test report, triaging CVEs from a scanner, or evaluating a bug bounty submission, CVSS scores are the universal language of vulnerability severity. Understanding how they work is essential for anyone involved in application security.

This guide breaks down every component of the CVSS framework, walks through real scoring examples, explains what changed in version 4.0, and shows how Recon0x uses CVSS alongside business context to deliver actionable severity ratings.

What is CVSS?

CVSS stands for Common Vulnerability Scoring System. It is an open, industry-standard framework maintained by FIRST (the Forum of Incident Response and Security Teams). Its purpose is simple: give every vulnerability a numerical score that represents its severity, so that organizations worldwide can speak the same language when discussing risk.

The system has evolved through several major versions. CVSS v2 was released in 2007 and became the standard for over eight years. CVSS v3.0 arrived in 2015 with significant improvements to metric granularity and scope modeling. CVSS v3.1, released in 2019, refined the guidelines and clarified ambiguities without changing the formula. The latest version, CVSS v4.0, was published in November 2023 and became widely adopted in 2024. It introduces new metric groups, better handling of cloud and IoT environments, and multiple scoring outputs.

Every major vulnerability database uses CVSS. The National Vulnerability Database (NVD) scores every CVE using CVSS. Security scanners, penetration testing tools, and bug bounty platforms all reference CVSS scores. It is the closest thing the industry has to a universal severity metric.

The CVSS score breakdown

CVSS scores range from 0.0 to 10.0 and map to five severity levels. Each level represents a qualitative assessment of how dangerous a vulnerability is. Here is the full severity scale.

These thresholds are not arbitrary. They are defined by FIRST and used consistently across the NVD, MITRE, and every major security tool. When a scanner flags something as "High," it means the CVSS base score falls between 7.0 and 8.9. When a pentest report labels a finding "Critical," the score is 9.0 or above.

Base metrics: the core of the score

The base score is the foundation of every CVSS rating. It captures the intrinsic characteristics of a vulnerability that remain constant over time and across environments. The base score is computed from two metric groups: exploitability metrics (how easy it is to exploit) and impact metrics (how much damage exploitation causes).

Each metric captures a specific aspect of the vulnerability. Attack Vector describes how the attacker reaches the vulnerable component: over the network (most dangerous), from an adjacent network, locally on the machine, or through physical access. Attack Complexity reflects whether exploitation requires special conditions beyond the attacker's control. Privileges Required indicates whether the attacker needs credentials. User Interaction flags whether a victim must take an action (such as clicking a link).

On the impact side, Confidentiality, Integrity, and Availability each measure the degree of damage to that security property. A vulnerability that lets an attacker read all database records has High confidentiality impact. One that lets them modify data has High integrity impact. One that crashes the server has High availability impact. The Scope metric indicates whether the vulnerability can affect resources beyond its own security scope.

This SQL Injection scores 9.8 because it checks every worst-case box: network-accessible, low complexity, no privileges needed, no user interaction required, and full impact on confidentiality, integrity, and availability. An attacker sitting anywhere on the internet can dump the entire database, modify records, or destroy data.

Real-world scoring examples

Understanding the theory is one thing. Seeing how different vulnerability types score in practice makes the framework concrete. Here are three common findings from penetration tests, each with a different severity level.

Notice how the scores directly reflect exploitability and impact. The SQL injection is trivial to exploit and has maximum impact. The XSS requires victim interaction and has limited impact. The missing header requires a specific network position and has minimal impact. CVSS captures these differences mathematically.

CVSS v4.0: what changed

CVSS v4.0, published by FIRST in November 2023, is the most significant update to the framework since v3.0. It addresses several long-standing criticisms and introduces new capabilities designed for modern infrastructure.

The most visible change is the introduction of multiple scoring outputs. Instead of a single base score, CVSS v4.0 defines four nomenclatures:

Version 4.0 also adds a new Supplemental metric group. These metrics provide additional context that does not affect the numerical score but helps organizations prioritize: Automatable (can the exploit be automated?), Recovery (can the system recover without intervention?), Value Density (are many resources at risk or just one?), and Provider Urgency (does the vendor consider this urgent?).

For cloud and IoT environments, v4.0 introduces better granularity in the Attack Requirements metric (replacing Attack Complexity) and separates the old User Interaction metric into more precise values. The Scope metric has been replaced with two separate metrics for Subsequent System Impact, allowing more accurate scoring of vulnerabilities that cross security boundaries.

The key takeaway: CVSS v4.0 gives organizations more tools to produce context-aware severity ratings. A single base score is still available for quick triage, but teams that invest in environmental and threat metrics get significantly more accurate prioritization.

Common mistakes when using CVSS

CVSS is a powerful tool, but it is frequently misused. Here are the four most common mistakes security teams make when working with CVSS scores.

The best security teams use CVSS as a starting point, then layer on asset value, exposure surface, threat intelligence, and business impact to create a risk-adjusted priority list. CVSS tells you how bad a vulnerability could be. Context tells you how bad it actually is for your organization.

How Recon0x reports severity

At Recon0x, we use CVSS base scores as the foundation for every finding, but we never stop there. Each vulnerability in our reports includes four key data points: the CVSS numerical score, the severity label (Critical, High, Medium, Low, Info), the CWE identifier linking to the specific weakness category, and a real impact assessment written in plain language that explains what the vulnerability means for your business.

This approach bridges the gap between technical severity and business risk. A CVSS 7.5 finding might be labeled "High" in generic scanners, but our assessment explains whether it affects customer data, enables lateral movement, or exposes API keys. Context transforms a number into a decision.

Our distribution shows that 8% of findings are Critical and 22% are High. That means roughly one in three findings requires immediate attention. Medium-severity issues make up the largest category at 38%, often representing vulnerabilities that become critical when chained together. Low and informational findings still appear in reports because they provide defense-in-depth recommendations and help teams understand their full attack surface.

Every Recon0x report is structured so that executives see severity labels and business impact up front, while developers get the CVSS vector, CWE reference, proof-of-concept exploit, and step-by-step remediation guidance. One report, two audiences, zero ambiguity.