Skip to main content
CVSS, the Common Vulnerability Scoring System, is the most established prioritization method, dating back some 20 years. CVSS severity scores are calculated on a scale of 0 to 10, with anything over 9.0 considered critical, and anything over 7.0 considered high severity. CVSS scores are version dependent. The most recent version, CVSSv4 was released in Nov. 2023, though CVSSv3.1 remains more prevalent for now. Minimus gives preference to the latest version, so that if a CVE has been evaluated for both CVSSv4 and CVSSv3.1, only the v4 vector will be shown.

Severity score disputes

The same CVE may be assigned different CVSS scores by different vendors. For example, CVE-2024-25110 was assigned a staggering CVSS score of 9.8 by GitHub, but only 8.1 by NVD. There isn’t as much of a consensus as one might expect. Severity score disputes reflect different environmental assumptions (for example, comparing a publicly exposed server to an internal system behind a firewall) and different assessments of the potential impact, a factor considered to be highly subjective. The timing of the analysis is also significant, with the most recent analysis likely to be the best informed. In general, CVSS scores are rarely revisited or updated.

CNA ranking

Vendors officially authorized to publish CVSS scores are known as CNAs, CVE Numbering Authorities. CNAs are evaluated by NVD on an ongoing basis and the CVSS vectors they publish are regularly audited. NVD ranks CNAs according to a measure known as acceptance level (ref). There are 3 acceptance levels, ranked from lowest to highest:
  • Reference - under evaluation
  • Contributor - on track to become a Provider CNA
  • Provider - highest confidence, on par with NVD analysts
CNA Acceptance Level by NVD When a CVE has been evaluated by more than one authority, Minimus will show the primary CVSS score and vector, as determined by the NVD API. The primary severity score is not explicitly marked in the NVD CVE listing, but it plays an important role in the NVD API. The recommended severity score is determined using this logic:
  • CVSSv4 is always favored over CVSSv3.1, regardless of the CNA’s authority.
  • Provider CNA analysis takes priority over NVD analysis.
  • NVD analysis takes priority over Contributor or Reference CNAs (if they are in the same CVSS version).
  • If NVD or Provider CNA analysis is not available, Contributor or Reference CNA analysis is shown.
CVSS Score Selection Flow PNG

Examples

  • CVE-2025-12383 has a Reference CNA CVSSv4 score of 9.4 and an NVD CVSSv3.x score of 7.4. The Minimus advisory lists the Reference CNA’s score despite it being from a lesser authority because it uses the newer CVSS version.
  • CVE-2025-66516 has two competing CVSSv3 scores. The Minimus advisory lists the NVD score of 9.8 since it takes precedence over Contributor CNA analysis. CVS Sv3 Competing Scores
  • CVE-2025-66506 only offers a Contributor CNA score. This is also the severity listed in the Minimus advisory. CVS Sv3 Contributor Score

Unknown severity

Vulnerabilities may be published in the NVD database before their official severity score is determined. In such cases, the severity is marked as unknown while the vulnerability awaits further analysis. It’s crucial to note that vulnerabilities awaiting severity analysis have not necessarily been determined minor or unimportant during initial triage. Some vulnerabilities will be evaluated by a Reference or Contributor CNA before they receive an official NVD score. In such cases, the CVE will still show an unknown score until an official severity score and vector are published by NVD (or a Provider CNA). Over 2024, NVD reported a chronic backlog in severity assessments and took several steps to close the gap but the issue is not yet resolved. This situation only complicates the matter of vulnerability prioritization.
Last modified on February 4, 2026