
Common Vulnerability Scoring System
CVSS v4.0: the industry standard numerical scoring framework for rating the severity of software vulnerabilities, from 0.0 (none) to 10.0 (critical).
Last refreshed: 7 June 2026 · Appears in 1 active topic
Is a CVSS 7.5 in active exploitation more dangerous than a 9.8 that is not?
Timeline for Common Vulnerability Scoring System
Mentioned in: Magento RCE forces 9-day patch race
Cybersecurity: Threats and DefencesMentioned in: UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesMentioned in: CISA deadline for PAN-OS RCE lands four days early
Cybersecurity: Threats and DefencesMentioned in: Trump proposes $707m CISA cut, 860 jobs
Cybersecurity: Threats and DefencesMentioned in: F5 reclassifies DoS bug to 9.8 RCE
Cybersecurity: Threats and DefencesWhat is the CVSS score system and how does it work?
Can CVSS scores change after a vulnerability is disclosed?
Is a high CVSS score enough to decide which patches to apply first?
Background
The Common Vulnerability Scoring System (CVSS) is the standard framework used by CISA, NCSC, NVD and vendors to assign numerical severity scores to software vulnerabilities. CVE-2026-3055 (CitrixBleed 3) was scored CVSS v4.0 9.3 at disclosure, while CVE-2025-53521 in F5 BIG-IP APM was initially rated medium severity and reclassified to CVSS v3.1 9.8 after active exploitation was confirmed. The reclassification pattern reveals a structural weakness: CVSS scores are assigned at disclosure, but exploitation patterns can change the operational risk profile after release.
CVSS v4.0, the current version, was published by FIRST (Forum of Incident Response and Security Teams) in 2023. It replaced v3.1 as the primary scoring base for NVD enrichment in the US government's vulnerability management ecosystem. The score comprises base, threat and environmental metrics; vendor advisories typically publish only the base score, while CISA's KEV additions reflect a threat-metric assessment of active exploitation.
The June 2026 KEV batch sharpened the score-versus-risk gap in a different direction: CVE-2026-45247 (Magento, CVSS 9.8) required no login, drew the tightest federal Deadline (6 June) and the loudest coverage, while CVE-2024-21182 (Oracle WebLogic, CVSS 7.5) was silently delivering Cobalt Strike beacons and Sodinokibi ransomware via honeypot-observed payloads before appearing on KEV. A 7.5 in production exploitation is operationally more dangerous than a 9.8 not yet weaponised at scale; the CVSS base score reflects the theoretical attack surface, not active threat actor prioritisation. For enterprise patch prioritisation, CVSS scores are an essential input but not a complete picture. Security teams using CVSS as their only triage signal are systematically under-weighting vulnerabilities whose exploitation class changes after initial assessment or whose lower scores mask active criminal campaigns.