The Common Vulnerability Scoring System (CVSS) is the industry standard for communicating the severity of security vulnerabilities. Yet many security teams misapply CVSS scores — treating them as absolute risk ratings rather than the contextual tools they are.
Reflects the intrinsic characteristics of a vulnerability — independent of time or environment. Ranges from 0.0 to 10.0.
Adjusts the base score based on factors that change over time:
Adjusts for your specific environment:
| Metric | What it measures |
|---|---|
| Attack Vector | Network, Adjacent, Local, or Physical |
| Attack Complexity | Low or High |
| Privileges Required | None, Low, or High |
| User Interaction | None or Required |
| Scope | Unchanged or Changed |
| Confidentiality Impact | None, Low, or High |
| Integrity Impact | None, Low, or High |
| Availability Impact | None, Low, or High |
Mistake 1: Treating CVSS as absolute risk A CVSS 9.8 vulnerability on an isolated internal system with no network exposure may be lower priority than a CVSS 6.5 vulnerability on an internet-facing authentication service.
Mistake 2: Ignoring the Environmental Score Always calculate the Environmental Score for your context. A vulnerability affecting a system you don't use is irrelevant regardless of its Base Score.
Use the Cyber121 CVSS Calculator to compute Base, Temporal, and Environmental scores interactively. Select each metric and see the score update in real time with the full vector string.
Cloud security architect and AWS Certified Security Specialist. Passionate about making cloud security accessible.