Skip to content
You can now search across every topic, entity and event.What's new
Common Vulnerability Scoring System
Technology

Common Vulnerability Scoring System

CVSS v4.0: the industry standard numerical scoring framework for rating the severity of software vulnerabilities, from 0.0 (none) to 10.0 (critical).

Last refreshed: 7 June 2026 · Appears in 1 active topic

Key Question

Is a CVSS 7.5 in active exploitation more dangerous than a 9.8 that is not?

Timeline for Common Vulnerability Scoring System

#63 Jun

Mentioned in: Magento RCE forces 9-day patch race

Cybersecurity: Threats and Defences
#414 May

Mentioned in: UAT-8616 keeps Cisco SD-WAN under fire

Cybersecurity: Threats and Defences
#17 Apr
#128 Mar

Mentioned in: F5 reclassifies DoS bug to 9.8 RCE

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
What is the CVSS score system and how does it work?
CVSS (Common Vulnerability Scoring System) is a standard framework for rating software vulnerability severity on a scale of 0 to 10. CVSS v4.0 is the current version, used by NIST's National Vulnerability Database and CISA to classify vulnerabilities for patch prioritisation.Source: FIRST / NIST
Can CVSS scores change after a vulnerability is disclosed?
Yes. Vendors can reclassify vulnerabilities after initial disclosure if exploitation evidence changes the assessed risk. F5's CVE-2025-53521 was reclassified from medium DoS to CVSS 9.8 RCE in March 2026 after active exploitation was confirmed.Source: F5 / CISA
Is a high CVSS score enough to decide which patches to apply first?
No. CVSS base scores reflect theoretical attack surface at disclosure. In the June 2026 KEV batch, WebLogic CVE-2024-21182 scored only 7.5 but was actively delivering ransomware payloads, while Magento CVE-2026-45247 scored 9.8. A lower-scored flaw in active criminal exploitation is operationally more urgent than a high-scored one not yet weaponised. Patch teams must combine CVSS with KEV membership and live exploitation data.Source: CISA KEV

Background

The Common Vulnerability Scoring System (CVSS) is the standard framework used by CISA, NCSC, NVD and vendors to assign numerical severity scores to software vulnerabilities. CVE-2026-3055 (CitrixBleed 3) was scored CVSS v4.0 9.3 at disclosure, while CVE-2025-53521 in F5 BIG-IP APM was initially rated medium severity and reclassified to CVSS v3.1 9.8 after active exploitation was confirmed. The reclassification pattern reveals a structural weakness: CVSS scores are assigned at disclosure, but exploitation patterns can change the operational risk profile after release.

CVSS v4.0, the current version, was published by FIRST (Forum of Incident Response and Security Teams) in 2023. It replaced v3.1 as the primary scoring base for NVD enrichment in the US government's vulnerability management ecosystem. The score comprises base, threat and environmental metrics; vendor advisories typically publish only the base score, while CISA's KEV additions reflect a threat-metric assessment of active exploitation.

The June 2026 KEV batch sharpened the score-versus-risk gap in a different direction: CVE-2026-45247 (Magento, CVSS 9.8) required no login, drew the tightest federal Deadline (6 June) and the loudest coverage, while CVE-2024-21182 (Oracle WebLogic, CVSS 7.5) was silently delivering Cobalt Strike beacons and Sodinokibi ransomware via honeypot-observed payloads before appearing on KEV. A 7.5 in production exploitation is operationally more dangerous than a 9.8 not yet weaponised at scale; the CVSS base score reflects the theoretical attack surface, not active threat actor prioritisation. For enterprise patch prioritisation, CVSS scores are an essential input but not a complete picture. Security teams using CVSS as their only triage signal are systematically under-weighting vulnerabilities whose exploitation class changes after initial assessment or whose lower scores mask active criminal campaigns.

More questions
What is the difference between CVSS v3.1 and CVSS v4.0?
CVSS v4.0, published by FIRST in 2023, replaced v3.1 with an expanded metric set covering base, threat and environmental scores. NVD now uses v4.0 as its primary scoring base. Vendor advisories often still publish only the base score, omitting the threat metrics that reflect real-world exploitation conditions.Source: FIRST
Why do security teams not just patch the highest CVSS scores first?
CVSS scores are assigned at disclosure from theoretical analysis and can understate risk. A vendor may not know the true exploitation class until attackers demonstrate it, as happened with F5 CVE-2025-53521 (reclassified to 9.8 RCE months after a medium DoS initial rating). CISA KEV membership and active threat-feed data are required alongside CVSS to produce accurate prioritisation.Source: CISA / F5