Common Vulnerability Scoring System
CVSS v4.0: the industry standard numerical scoring framework for rating the severity of software vulnerabilities, from 0.0 (none) to 10.0 (critical).
Last refreshed: 17 April 2026
Can you trust a CVSSscore when F5's vulnerability went from medium to 9.8 overnight?
Timeline for Common Vulnerability Scoring System
Mentioned in: CitrixBleed 3 lands on SAML broker
Cybersecurity: Threats and DefencesMentioned in: F5 reclassifies DoS bug to 9.8 RCE
Cybersecurity: Threats and DefencesMentioned in: Trump proposes $707m CISA cut, 860 jobs
Cybersecurity: Threats and Defences- What is the CVSS score system and how does it work?
- CVSS (Common Vulnerability Scoring System) is a standard framework for rating software vulnerability severity on a scale of 0 to 10. CVSS v4.0 is the current version, used by NIST's National Vulnerability Database and CISA to classify vulnerabilities for patch prioritisation.Source: FIRST / NIST
- Can CVSS scores change after a vulnerability is disclosed?
- Yes. Vendors can reclassify vulnerabilities after initial disclosure if exploitation evidence changes the assessed risk. F5's CVE-2025-53521 was reclassified from medium DoS to CVSS 9.8 RCE in March 2026 after active exploitation was confirmed.Source: F5 / CISA
Background
The Common Vulnerability Scoring System (CVSS) is the standard framework used by CISA, NCSC, NVD and vendors to assign numerical severity scores to software vulnerabilities. CVE-2026-3055 (CitrixBleed 3) was scored CVSS v4.0 9.3 at disclosure, while CVE-2025-53521 in F5 BIG-IP APM was initially rated medium severity and reclassified to CVSS v3.1 9.8 after active exploitation was confirmed. The reclassification pattern reveals a structural weakness: CVSS scores are assigned from analysis at disclosure, but exploitation patterns can change the operational risk profile after release.
CVSS v4.0, the current version, was published by FIRST (Forum of Incident Response and Security Teams) in 2023. It replaced v3.1 as the primary scoring base for NVD enrichment in the US government's vulnerability management ecosystem. The score comprises base, threat and environmental metrics; vendor advisories typically publish only the base score, while CISA's KEV additions reflect a threat-metric assessment of active exploitation.
For enterprise patch prioritisation, CVSS scores are an input but not a complete picture. The F5 case in this update illustrates why: a DoS bug initially scored medium was in production exploitation as an RCE before the reclassification arrived. Security teams using CVSS as their only triage signal are systematically under-weighting vulnerabilities whose exploitation class changes after initial assessment.