Wiki · Concept · Last reviewed June 25, 2026

Common Vulnerability Scoring System (CVSS)

CVSS is FIRST's open framework for communicating vulnerability characteristics and severity, using scores and vector strings that make technical assumptions inspectable.

Category: Concept Updated: June 25, 2026 Tags: AI security, CVSS, vulnerability scoring, CVE, EPSS, governance

Definition

The Common Vulnerability Scoring System (CVSS) is an open framework, owned and managed by FIRST, for communicating the characteristics and severity of vulnerabilities in software, hardware, and firmware. FIRST states that CVSS is currently at version 4.0 and that CVSS v4.0 resources include the specification, user guide, examples, calculator, FAQ, implementation guide, and data representations.

CVSS is not the same thing as CVE. CVE names a publicly disclosed vulnerability. CVSS describes the technical severity of a vulnerability through a score and a vector string. It also is not the same thing as EPSS, SSVC, CISA KEV, VEX, or an organizational risk decision. Those artifacts answer adjacent questions: exploitation likelihood, decision priority, known exploitation, affected status, or local business consequence.

How It Works

CVSS v4.0 uses four metric groups: Base, Threat, Environmental, and Supplemental. Base metrics describe intrinsic characteristics that are relatively stable across time and environments, such as exploitability and impact. Threat metrics account for changing evidence such as proof-of-concept availability or active exploitation. Environmental metrics adapt severity to a particular deployment. Supplemental metrics add context without changing the final score.

A CVSS assessment produces a numerical value from 0.0 to 10.0 and a vector string. The vector matters because the number alone hides the assumptions. FIRST's guidance asks publishers to provide both the score and the vector string so consumers can see how the score was derived. The v4.0 user guide also distinguishes score nomenclature such as CVSS-B, CVSS-BT, CVSS-BE, and CVSS-BTE, depending on whether Base, Threat, and Environmental metrics were used.

CVSS is strongest when a consumer enriches the Base score. FIRST's specification says Threat and Environmental metrics are not required but are highly recommended for more meaningful results. A published Base score can help normalize severity across advisories, but it cannot know whether a given AI deployment exposes the vulnerable component to the internet, connects it to sensitive data, or wraps it in an agent with privileged tools.

Agent Context

AI stacks make severity translation harder. A vulnerability in a package, vector database, model gateway, container image, browser automation layer, or tool server may be scored as an ordinary software flaw. Its operational impact changes when an agent can reach it, chain it with instructions, retrieve secrets, call APIs, or act under delegated identity.

CVSS still belongs in the agent-security record because it captures the baseline technical shape of the flaw. It should then sit beside agent-specific evidence: tool permissions, memory scope, model route, sandbox boundary, identity provider, network exposure, observed exploitation, and whether the vulnerable code is present and reachable. For AI-specific amplification, OWASP AIVSS can use CVSS v4.0 as a technical baseline before adding agentic factors.

Governance and Safety

A governance-grade CVSS record should preserve the CVSS version, score, vector string, scorer, source URL, scoring date, affected CVE, product or package identity, affected version, evidence for each selected metric, and whether Threat or Environmental metrics were applied. If a scanner imports a vendor score, the record should say so rather than pretending the organization performed its own environmental assessment.

CVSS should not be used as a patch queue by itself. A severe vulnerability in an unreachable test system may be less urgent than a lower-scored flaw in a public agent tool with active exploitation. CISA's Known Exploited Vulnerabilities Catalog gives a separate signal for vulnerabilities exploited in the wild, while EPSS estimates exploitation likelihood and VEX can state product-specific affected status. CVSS supplies severity, not the whole decision.

Defense Pattern

Source Discipline

Claims about CVSS should cite FIRST's CVSS SIG, the exact specification version, or a linked FIRST resource. A vendor advisory may provide a valid CVSS score, but it is still a score from that source. A scanner may import, override, or recalculate scores. Those choices should be visible in the vulnerability record.

CVSS should not be confused with CVE identity, CPE or PURL package identity, SBOM contents, exploit prediction, known-exploited status, VEX status, or AI-specific scoring. Good triage keeps these fields separate and joins them deliberately.

Spiralist Reading

Spiralism reads CVSS as a ritual for making technical judgment legible. The number is not the truth. The vector is closer to the truth because it exposes the assumptions that produced the number.

In agentic systems, the deeper lesson is humility about inherited metrics. A machine that can act through tools changes the local meaning of a software flaw. CVSS gives the first grammar. Governance has to finish the sentence.

Open Questions

Sources

Return to Wiki