Blog

June 18, 2025

Common Vulnerability Scoring System: What Is CVSS in Cybersecurity?

Stuart Foster
Stuart Foster

Security & Compliance,

Software Quality

Common Vulnerability Scoring System (CVSS) and the National Vulnerability Database (NVD database) help you to properly assess which software vulnerabilities should be your top priority.

Here, we explain what is the National Vulnerability Database (NVD), what is the Common Vulnerability Scoring System, and how CVSS is used to calculate risk.

Read along or jump to the section that interests you the most:

Table of Contents

  1. What Is NVD (NVD Database)?
  2. What Is CVSS in Cyber Security?
  3. What Are Common Vulnerability Scoring System (CVSS) Metrics?
  4. Can CVSS Be Used to Assess AI-Related Vulnerabilities? 
  5. How SAST Scans for CVSS Threats 

➡️ Efficiently Identify High-Risk Vulnerabilities

Back to top

What Is NVD (NVD Database)?

The National Vulnerability Database (NVD) database is the U.S. government repository of standards-based vulnerability management data.

The National Vulnerability Database is synchronized with the CVE list and provides additional content, including how to fix vulnerabilities, severity scores, and impact ratings. In order to calculate the severity scores of CVE vulnerabilities, the Common Vulnerability Scoring System (CVSS) must be used.

The nonprofit organization MITRE, sponsored by the U.S. Department of Homeland Security, maintains the CVE program (for now). 

Back to top

What Is CVSS in Cyber Security?

The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of software vulnerabilities.

What Is a CVSS Score? CVSS Score Explained

For each vulnerability, the CVSS standard assigns a severity score from 0.0 (the lowest amount of risk) to 10.0 (the highest amount of risk), which enables you to more effectively prioritize remediation of vulnerabilities. A SAST tool, like Perforce Klocwork, can automate this process by quickly identifying and analyzing CVSS vulnerabilities and prioritize severity.

CVSS v3.0 Ratings 
SeverityBase Score Range
None0.0
Low0.1 – 3.9
Medium4.0 – 6.9
High7.0 – 8.9
Critical9.0 – 10.0

To calculate the base score, you need to input CVSS metrics into the NVD CVSS Calculator. For detailed guidance on how to use the calculator, be sure to refer to the CVSS standards guide.

There are hundreds of vulnerabilities on the CVE list. You can check CISA for the latest top routinely exploited vulnerabilities and their CVSS scores. 

Back to top

What Are Common Vulnerability Scoring System (CVSS) Metrics?

Common Vulnerability Scoring System (CVSS) is made up of three groups of metrics: base, temporal, and environmental. Each group evaluates different aspects of a vulnerability. 

Base Metrics for CVSS

Base metrics for CVSS are divided into two groups: exploitability and impact.

Exploitability Metrics for CVSS

Exploitability metrics for CVSS refer to the characteristics of the piece of software or product that make it vulnerable.

  • Attack Vector — Shows how a vulnerability may be exploited.
  • Attack Complexity — Refers to how easy or difficult it is to exploit the discovered vulnerability.
  • Authentication — Refers to the number of times that an attacker must authenticate to a target to exploit it.
  • User Interaction (UI) — Refers to the requirement for a human user — other than the attacker — to participate in the successful compromise of the vulnerable component.
  • Privileges Required (PR) — Refers to the level of privileges an attacker must possess before successfully exploiting the vulnerability.

Impact Metrics for CVSS

Impact metrics for CVSS deal with the worst-case scenario if the piece of software or product were to be attacked and the effects of a successfully exploited vulnerability.

  • Confidentiality — Refers to the impact on the confidentiality of data processed by the system.
  • Integrity — Refers to the impact on the integrity of the exploited system.
  • Availability — Refers to the impact on the availability of the target system.

Temporal Metrics for CVSS

Unlike the other CVSS metrics, the value of temporal metrics for CVSS changes over the lifetime of the vulnerability. This is due to exploits being developed, disclosed, and automated along with mitigations and fixes being made available.

  • Exploitability — Refers to the current state of exploitation techniques or automated exploitation code.
  • Remediation Level — Refers to the amount of mitigations and official fixes that are available to decrease the number of vulnerabilities.
  • Report Confidence — Refers to the level of confidence in the existence of the vulnerability and the credibility of the technical details for the vulnerability.

Environmental Metrics for CVSS

The environmental metrics for CVSS use the base metrics score and the temporal metrics score to assess the severity of a vulnerability to the piece of software or product that is currently in development.

  • Collateral Damage Potential — Measures the potential loss or impact on either physical assets — such as equipment, hardware, and users — or the financial impact, if the vulnerability is exploited.
  • Target Distribution — Measures the proportion of vulnerable systems.
  • Impact Subscore Modifier — Measures the specific security requirements for confidentiality, integrity, and availability. This metric enables you to customize the environmental score based upon your environment.
Back to top

Can CVSS Be Used to Assess AI-Related Vulnerabilities? 

The rise of AI systems introduces a new wave of security challenges that traditional approaches may not fully address, CVSS included, especially when it comes to more nuanced, human issues like bias, inference, or ethical and societal impact. The good news is CVSS can still be applied to cybersecurity vulnerabilities often found in AI applications.

At its core, CVSS evaluates vulnerabilities based on criteria such as exploitability, impact, and environmental factors. These principles can still provide valuable insights for AI-related security issues such as: 

  • Data Poisoning Attacks: A data poisoning attack involves an adversary injecting malicious or misleading data into an AI system's training dataset, compromising its outputs. CVSS can be adapted to assess the exploitability and impact of such attacks. For example, if an image recognition algorithm for autonomous vehicles is poisoned to misclassify stop signs, the potential for a road accident could lead to a higher CVSS score.
  • Adversarial Attacks: Adversarial attacks involve adding subtle modifications to input data to mislead AI models, causing incorrect outputs. CVSS could gauge the attack vector and impact metrics like confidentiality or availability threats.
  • Model Theft and Reverse Engineering: Stealing a machine learning model can enable attackers to replicate proprietary technology or exploit related weaknesses. CVSS evaluates metrics like user interaction and environmental factors. 
Back to top

How SAST Scans for CVSS Threats 

A SAST tool, like Klocwork, is the best way to ensure that your code is secure. SAST tools identify and eliminate CVSS vulnerabilities and software defects early on in development. That helps to ensure that your software is secure, reliable, and compliant.

Klocwork helps you:

  • Identify and analyze security risks and prioritize severity.
  • Fulfill compliance standard requirements.
  • Apply and enforce coding standards, including CWE, CERT C/CERT C++, and OWASP/OWASP Top 10.
  • Verify and validate through testing.
  • Achieve compliance and get certified faster.
📕 Related Content: Visit the SAST tutorial for additional resources.

 

Use Klocwork to Ensure Software Security

See for yourself how Klocwork can help you enforce software security standards, register for a free trial.

➡️ Register for Klocwork Free Trial

Back to top