Common Vulnerability Scoring System is a standardized method for describing the technical severity of a vulnerability.
Common Vulnerability Scoring System, usually called CVSS, is a standardized method for describing the technical severity of a vulnerability. In plain language, it gives defenders a shared way to say how serious a disclosed weakness may be before they add local business context.
CVSS matters because security teams often need an initial severity signal when thousands of findings are competing for attention. A consistent scoring framework helps teams sort, compare, and discuss vulnerabilities more efficiently.
It also matters because severity alone is not enough. CVSS is useful precisely because teams can combine it with asset importance, exposure, and compensating controls instead of guessing blindly.
CVSS appears in Vulnerability Scanner results, vendor advisories, patch prioritization, Vulnerability Management, and Risk Register discussions. Teams often review it together with Common Vulnerabilities and Exposures, Risk Assessment, and Compensating Control decisions.
It is a starting point for prioritization, not the end of the conversation.
A vulnerability receives a high CVSS score because it could allow serious remote impact under certain conditions. The security team still reviews whether the affected system is internet-facing, whether a firewall limits exposure, and whether patching must happen immediately or can be sequenced safely.
CVSS is not the same as business risk. A technically severe flaw may create limited local risk if the affected component is isolated or protected by other controls.
It is also different from the CVE identifier itself. CVE tells you which vulnerability is being referenced, while CVSS describes one standard view of how severe it may be.