CVSS severity scores explained

Q: What CVSS score is considered critical?

Under CVSS v3.x, a base score of 9.0 to 10.0 is rated Critical, 7.0–8.9 is High, 4.0–6.9 is Medium, 0.1–3.9 is Low, and 0.0 is None.

The Common Vulnerability Scoring System (CVSS) rates a vulnerability's severity from 0.0 to 10.0. Under CVSS v3.x the bands are: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9) and Critical (9.0–10.0). The base score reflects how the flaw is reached, how hard it is to exploit, and its impact on confidentiality, integrity and availability. A high score signals intrinsic severity — but real-world risk also depends on exposure and whether the flaw is actively exploited.

Source: FIRST CVSS v3.1 Specification. Data as of 2026-06-13.

CVSS v3.x severity bands

CVSS v3.1 qualitative severity rating scale (source: FIRST).
Rating	Base score range	What it means
None	0.0	No measurable impact; informational only.
Low	0.1 – 3.9	Limited impact, often needs local access or significant prerequisites.
Medium	4.0 – 6.9	Moderate impact or harder-to-exploit conditions.
High	7.0 – 8.9	Serious impact; prioritise patching, especially if internet-facing.
Critical	9.0 – 10.0	Severe, easily-exploited impact; patch as an emergency.

Source: FIRST CVSS v3.1 Specification. Data as of 2026-06-13.

Severity is not the same as risk

CVSS base score measures a vulnerability's intrinsic severity. Your actual risk depends on whether the affected product runs in your environment, whether it is exposed to untrusted networks, and — crucially — whether attackers are exploiting it. A Medium-rated flaw in an internet-facing system under active attack can be far more dangerous than an unexploited Critical buried deep in your network. For that reason, prioritise the CISA Known Exploited Vulnerabilities timeline alongside CVSS.

Frequently asked questions

What is a CVSS score?

The Common Vulnerability Scoring System (CVSS) is an open standard that rates the severity of a software vulnerability from 0.0 to 10.0. The base score reflects the intrinsic characteristics of the flaw — how it can be reached, how complex it is to exploit, and the impact on confidentiality, integrity and availability.

What CVSS score is considered critical?

Under CVSS v3.x, a base score of 9.0 to 10.0 is rated Critical, 7.0–8.9 is High, 4.0–6.9 is Medium, 0.1–3.9 is Low, and 0.0 is None.

Is a high CVSS score the same as high risk to me?

No. CVSS base score measures intrinsic severity, not your specific risk. Whether the affected product is in your environment, exposed to the internet, and being actively exploited matters more. That is why the CISA KEV catalog (which only lists exploited flaws) is a better day-to-day patch-priority signal than CVSS alone.

What is the difference between CVSS v3.1 and v4.0?

CVSS v4.0 (released 2023) refines the metric set, adds supplemental metrics, and changes how scores are computed to better reflect real-world impact. Many feeds still report v3.1 scores, so you will see both. Always note which version a score uses.

See it in practice

Browse the CVE explainer catalog to see how these severity bands apply to real, high-impact vulnerabilities.

Last updated: 2026-06-13