What is CVSS (Common Vulnerability Scoring System)?
A standard for rating the severity of software vulnerabilities on a 0.0 – 10.0 numeric scale.
Full explanation
CVSS is maintained by FIRST (Forum of Incident Response and Security Teams). Version 3.1 is the most common in 2026; v4.0 is emerging. The score combines Base (intrinsic characteristics), Temporal (changes over time), and Environmental (per-deployment adjustments) metrics. Critical = 9.0–10.0, High = 7.0–8.9, Medium = 4.0–6.9, Low = 0.1–3.9.
Example
CVE-2025-29927 (Next.js middleware bypass) has CVSS 9.1 — Critical. CVE-2024-4068 (braces ReDoS) has CVSS 5.3 — Medium.
Related
FAQ
Is CVSS the whole picture?
No. CVSS is severity, not exploitability or prevalence. EPSS (Exploit Prediction Scoring System) complements CVSS with likelihood data.