Glossary
CVSS (Common Vulnerability Scoring System)
What Is CVSS (Common Vulnerability Scoring System)?
CVSS (Common Vulnerability Scoring System) is a standard scoring framework, maintained by FIRST, that produces a numerical severity score from 0.0 to 10.0 for a given CVE — based on characteristics like attack vector, complexity, required privileges, and potential impact, providing a consistent way to compare the theoretical danger of one vulnerability against another.
CVSS is the most widely adopted severity metric in vulnerability management. Every CVE published in the National Vulnerability Database includes a CVSS Base Score, and most enterprise patching workflows use CVSS as a primary input for prioritization — typically treating scores of 7.0 and above as "high" or "critical" requiring expedited remediation. CVSS v3.1 remains the dominant version in production use, with CVSS v4.0 published in 2023 and adoption gradually expanding.
CVSS measures theoretical severity, not real-world risk. A CVSS 9.8 vulnerability in an unreachable code path is less urgent than a CVSS 6.0 in actively running code. This is why modern vulnerability management combines CVSS with additional signals — KEV status (whether the vulnerability is being actively exploited), EPSS (the probability of near-term exploitation), and execution-aware reachability (whether the vulnerable code can actually be reached). CVSS answers "how bad could this be"; the other signals answer "should I act on it now."
NetRise enriches CVE findings with KEV, EPSS, and reachability context alongside CVSS — so security teams can prioritize against real exposure, not just theoretical severity.
Related Terms
CVE · CPE · Known Exploited Vulnerabilities · Exploit Prediction Scoring System · Execution-Aware Reachability · Vulnerability Management


