What CVSS score is considered critical?

Under CVSS v3.x, a base score of 9.0 to 10.0 is rated Critical, 7.0–8.9 is High, 4.0–6.9 is Medium, 0.1–3.9 is Low, and 0.0 is None.

Who created and maintains CVSS?

CVSS is an open standard maintained by FIRST (the Forum of Incident Response and Security Teams). It is free to use and the specification is publicly published.

Is a high CVSS score the same as high risk?

No. The base score measures intrinsic severity, not your risk. Whether the affected software runs in your environment, is exposed to untrusted networks, and is being actively exploited matters at least as much.

What is the difference between CVSS v3.1 and v4.0?

CVSS v4.0, released in 2023, refines the metric set, adds supplemental metrics, and changes how scores are computed to better reflect real-world impact. Many feeds still report v3.1 scores, so you will encounter both — always note which version a score uses.

CVSS scores explained for non-experts (0.0 to 10.0)

CVSS stands for the Common Vulnerability Scoring System. It is an open standard, maintained by FIRST (the Forum of Incident Response and Security Teams), that rates how severe a software vulnerability is on a scale from 0.0 to 10.0. If you have ever seen a vulnerability described as “CVSS 9.8 Critical,” that number came from CVSS.

For the official severity bands at a glance, see our CVSS severity guide. This article explains what the number actually means and how not to misread it.

What do the CVSS severity bands mean?

CVSS v3.x maps the numeric score to a qualitative rating. These are the bands you will see most often:

Rating	Score range	Plain-English meaning
None	0.0	No measurable security impact; informational.
Low	0.1 – 3.9	Limited impact; often needs local access or unusual conditions.
Medium	4.0 – 6.9	Moderate impact, or harder-to-exploit conditions.
High	7.0 – 8.9	Serious impact; prioritize patching, especially if internet-facing.
Critical	9.0 – 10.0	Severe and easily exploited; treat as an emergency.

Source: FIRST CVSS v3.1 specification.

What goes into a CVSS base score?

The base score is the headline number, and it reflects the intrinsic characteristics of the flaw — properties that do not change regardless of where it is deployed. In CVSS v3.x, the base metrics fall into two groups:

Exploitability metrics — how easy is the flaw to use?

Attack Vector — can it be exploited over the network, or does it need local/physical access?
Attack Complexity — does exploitation require special conditions, or does it “just work”?
Privileges Required — does the attacker need to already be authenticated?
User Interaction — does a victim have to click something?

Impact metrics — what damage results?

Confidentiality — can the attacker read data they shouldn’t?
Integrity — can they modify data?
Availability — can they take the system down?

A flaw scores highest (toward 10.0) when it is reachable over the network, easy to exploit, needs no privileges or user interaction, and fully compromises confidentiality, integrity, and availability. That combination is what produces the dreaded “9.8” and “10.0” Criticals.

Base, Temporal, and Environmental: the three metric groups

Most published scores are base scores, but CVSS actually defines three layers:

Metric group	Question it answers	Changes over time / by org?
Base	How severe is the flaw intrinsically?	No — fixed properties of the vulnerability.
Temporal	Has this become more or less exploitable as exploit code and patches appear?	Yes — changes over time.
Environmental	How severe is it in my specific environment?	Yes — you tailor it to your systems.

Almost everyone uses the base score because it is what vendors and the NVD publish. But the environmental score is where CVSS becomes genuinely about your risk — it lets you downgrade a Critical that only affects a system you have isolated, or upgrade one that sits on a crown-jewel database.

Why a high CVSS score is not the same as high risk

This is the single most important thing to understand about CVSS, and it trips up even experienced teams.

The base score measures severity, not risk. Risk is severity combined with likelihood and exposure:

A CVSS 9.8 in a product you do not run is, for you, irrelevant.
A CVSS 9.8 that has never been exploited anywhere is less urgent than a CVSS 7.5 that is on the CISA KEV catalog and tied to ransomware.

Real-world data backs this up: only a small fraction of all CVEs are ever exploited, and exploitation does not track neatly with severity. That is why mature programs do not patch strictly by CVSS. They combine it with exploitation evidence (KEV) and exploit-likelihood prediction (EPSS) — a method we walk through in patch prioritization: KEV + EPSS + CVSS.

CVSS v3.1 vs v4.0: which will I see?

CVSS v4.0 was released in 2023 and improves on v3.1 by refining metrics and adding supplemental ones for a more nuanced picture. However, adoption is gradual — many vulnerability feeds and tools still report v3.1 scores, and you will frequently see both for the same flaw. The practical rule: always check which version a score uses, because a “7.0” in v3.1 and a “7.0” in v4.0 are computed differently.

Key takeaways

CVSS rates severity from 0.0 to 10.0, with Critical at 9.0–10.0.
The base score is intrinsic and fixed; the environmental score is where you tailor it to your risk.
A high score signals severity, not urgency — pair CVSS with the KEV catalog and EPSS before deciding what to patch first.

Next: learn how to read a CVE identifier, or browse scored examples in the CVE catalog.