Violet
Start free scan
HomeProductPricingExamplesResourcesAboutSign in
← Resources
Guide5 min read · updated May 9, 2026

CVSS, demystified

On this page

What CVSS is and is not

CVSS — the Common Vulnerability Scoring System — is a rubric for scoring a vulnerability's technical severity. That is all it is. It is not a measure of business impact. It is not a measure of exploitability in your specific environment. It is not a measure of urgency. The score is a number between 0.0 and 10.0. The vector is the underlying breakdown of eight metrics that produces that number.

Most readers fixate on the number. That is the wrong habit. The number is a summary. The vector is the source. Two findings with the same score can have completely different attack profiles. A 7.5 that requires physical access to the machine is not the same risk as a 7.5 that is exploitable over the internet with no credentials. The number hides that distinction. The vector reveals it. Read the vector.

The eight metrics

CVSS v3.1 has eight base metrics. Each one answers a specific question about the vulnerability. Here is what each metric actually asks and what the values mean.

AV — Attack Vector
Where does the attacker need to be? Network (N) means exploitable from anywhere on the internet. Adjacent (A) means the attacker needs to be on the same local network or subnet. Local (L) means they need a shell or login on the machine. Physical (P) means they need to physically touch the hardware.
AC — Attack Complexity
How predictable does the exploit need to be? Low (L) means the attacker can reliably reproduce the attack with no special conditions. High (H) means the exploit depends on conditions the attacker cannot fully control — a race condition, a specific configuration, or a timing window.
PR — Privileges Required
What credentials does the attacker need? None (N) means no account required. Low (L) means any authenticated user — a free-tier account, a guest, anyone who can sign up. High (H) means elevated privileges, typically an admin-level account.
UI — User Interaction
Does someone have to click something? None (N) means the attacker can exploit this without any victim action. Required (R) means a victim has to open a link, view a page, or take some action that triggers the vulnerability.
S — Scope
Does this jump out of the vulnerable component? Unchanged (U) means the impact stays within the compromised system. Changed (C) means the attacker can pivot to resources outside the vulnerable component — for example, escaping a container, accessing adjacent services, or compromising a hypervisor from a guest VM.
C — Confidentiality Impact
How much data leaks? None (N) — no data exposed. Low (L) — some limited data is accessible. High (H) — complete loss of confidentiality; all data in the affected component is readable by the attacker.
I — Integrity Impact
How much can the attacker change? None (N) — no modifications possible. Low (L) — limited write access. High (H) — complete loss of integrity; the attacker can modify or destroy all data in the affected component.
A — Availability Impact
How much can the attacker take down? None (N) — no disruption. Low (L) — reduced performance or intermittent availability. High (H) — complete denial of service; the attacker can fully shut down the affected component.

A worked example

Here is a SQL injection vector from a real pentest report. Read it left to right and translate each metric into a sentence.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  →  9.8

AV:N   — Exploitable over the internet. No network adjacency needed.
AC:L   — Low complexity. The exploit works reliably, every time.
PR:N   — No credentials required. Anyone can attempt this.
UI:N   — No victim action needed. The attacker works alone.
S:U    — Scope unchanged. Impact stays within the database component.
C:H    — Full confidentiality loss. The attacker can read the entire database.
I:H    — Full integrity loss. The attacker can write, modify, or delete any row.
A:H    — Full availability loss. The attacker can drop tables or lock the database.

Put those sentences together: this SQL injection is exploitable from the internet, with low effort, by an unauthenticated attacker, requiring no victim interaction, fully compromising the confidentiality, integrity, and availability of the database. Of course it is a 9.8. Every metric is at its worst value. The only reason it is not a perfect 10.0 is that Scope is Unchanged — the attacker cannot use this bug to pivot outside the database component.

That analysis takes 60 seconds once you know the metrics. It tells you more than the score alone ever could. You now know exactly where the risk lives and what a fix needs to address: input validation before the query, parameterized statements, and no unauthenticated access to any endpoint that touches the database.

Score vs vector

The vector tells you more than the number. Here is a direct comparison. Both findings score 7.5. Their attack profiles are nothing alike.

Finding A — CVSS 7.5
AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:N / A:N
→ Network reachable, no auth, no complexity. Data leak only — no write access.

Finding B — CVSS 7.5
AV:L / AC:L / PR:H / UI:N / S:U / C:H / I:H / A:H
→ Requires local access and admin credentials. Full compromise once inside.

Finding A is publicly reachable by any unauthenticated user. The attacker population is the entire internet. Finding B requires local admin access — the attacker is already deeply inside your environment. The urgency for A is dramatically higher than B despite identical scores. If you only look at 7.5 vs 7.5, you schedule them identically. That is the wrong call.

Common misreadings

Three mistakes that show up constantly in security reviews.

  • Treating the CVSS score as your risk. CVSS scores a class of vulnerability in the abstract. It does not know your WAF rules, your network segmentation, or whether that endpoint is even deployed in production. Your risk is CVSS score filtered through your environment. Do not skip the filtering step.
  • Comparing CVSS 4.0 and CVSS 3.1 numbers directly. CVSS 4.0 is a newer scoring framework with different metrics and different math. A 7.0 in CVSS 4.0 is not the same as a 7.0 in CVSS 3.1. Check which version produced the score before comparing across reports. Most public vulnerability databases and scanners still report CVSS 3.1; newer tools are starting to ship 4.0. Mixing them without noting the version is how security reviews get wrong.
  • Reading “Privileges Required: Low” as “requires an admin account.” Low privileges usually means any authenticated user. A free-tier account qualifies. A guest user qualifies. Anyone who can complete your signup flow qualifies. If your app allows self-service registration, PR:L is effectively unauthenticated for any attacker willing to create an account.
Next up
Severity is not urgency

A critical-severity bug behind an IP allowlist can wait. A medium on your unauthenticated signup form cannot.

Read →