CVSS — Common Vulnerability Scoring System

What the scores mean

• Critical (9.0–10.0) — can be exploited remotely, no authentication, high impact. Log4Shell is 10.0. These need immediate attention.
• High (7.0–8.9) — serious but with some mitigating factor — maybe requires authentication, or only affects some configurations. Still urgent.
• Medium (4.0–6.9) — real risk but limited scope. Usually requires specific conditions. Fix on your normal patch cycle.
• Low (0.1–3.9) — minimal risk. Theoretical or requires significant user interaction. Fix when convenient.

What goes into a CVSS score

The score is calculated from three metric groups:

• Base metrics — intrinsic properties of the vulnerability: attack vector (network vs local), complexity, privileges required, user interaction required, and impact on confidentiality/integrity/availability
• Temporal metrics — how the score changes over time as patches become available
• Environmental metrics — how the score applies to your specific environment

Most tools only show the Base score. A CVSS 9.8 means: network-accessible, low complexity, no privileges needed, no user interaction, critical impact. That's about as bad as it gets.

The problem with only looking at CVSS

Not all High severity CVEs are equal in practice. A High CVE in a package you use in a code path that handles untrusted network input is far more dangerous than a High CVE in a package you only use in a build script. CVSS describes the vulnerability in isolation — it doesn't know your specific usage.

CISA KEV is a better signal for prioritization: it only lists vulnerabilities that are being actively exploited in the real world, regardless of CVSS score.