> ## Documentation Index
> Fetch the complete documentation index at: https://docs.minimus.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CVSS Severity

> About CVSS severity classifications in Minimus advisories

CVSS, the Common Vulnerability Scoring System, is the most established prioritization method, dating back some 20 years. CVSS severity scores are calculated on a scale of 0 to 10, with anything over 9.0 considered critical, and anything over 7.0 considered high severity.

CVSS scores are version dependent. The most recent version, CVSSv4 was released in Nov. 2023, though CVSSv3.1 remains more prevalent for now. Minimus gives preference to the latest version, so that if a CVE has been evaluated for both CVSSv4 and CVSSv3.1, only the v4 vector will be shown.

## Severity score disputes

The same CVE may be assigned different CVSS scores by different vendors. For example, [CVE-2024-25110](https://nvd.nist.gov/vuln/detail/CVE-2024-25110) was assigned a staggering CVSS score of 9.8 by GitHub, but only 8.1 by NVD. There isn't as much of a consensus as one might expect.

Severity score disputes reflect different environmental assumptions (for example, comparing a publicly exposed server to an internal system behind a firewall) and different assessments of the potential impact, a factor considered to be highly subjective. The timing of the analysis is also significant, with the most recent analysis likely to be the best informed. In general, CVSS scores are rarely revisited or updated.

## CNA ranking

Vendors officially authorized to publish CVSS scores are known as CNAs, [CVE Numbering Authorities](https://www.cve.org/programorganization/cnas). CNAs are evaluated by NVD on an ongoing basis and the CVSS vectors they publish are regularly audited.

NVD ranks CNAs according to a measure known as acceptance level ([ref](https://nvd.nist.gov/vuln/cvmap/Understanding-Acceptance-Levels)). There are 3 acceptance levels, ranked from lowest to highest:

* Reference - under evaluation
* Contributor - on track to become a Provider CNA
* Provider - highest confidence, on par with NVD analysts

<img src="https://mintcdn.com/gutsy-6162adbc/FM7VH7b6fP7agbL4/images/Acceptance-level.png?fit=max&auto=format&n=FM7VH7b6fP7agbL4&q=85&s=8ce1361df8b679fa1efa9a2c461a13a4" alt="CNA Acceptance Level by NVD" width="402" height="112" data-path="images/Acceptance-level.png" />

## Recommended severity score

When a CVE has been evaluated by more than one authority, Minimus will show the primary CVSS score and vector, as determined by the NVD API. The primary severity score is not explicitly marked in the NVD CVE listing, but it plays an important role in the NVD API.

The recommended severity score is determined using this logic:

* CVSSv4 is always favored over CVSSv3.1, regardless of the CNA's authority.
* Provider CNA analysis takes priority over NVD analysis.
* NVD analysis takes priority over Contributor or Reference CNAs (if they are in the same CVSS version).
* If NVD or Provider CNA analysis is not available, Contributor or Reference CNA analysis is shown.

<img src="https://mintcdn.com/gutsy-6162adbc/J3fbAL86NORw0g6D/images/CVSS%20Score%20Selection%20Flow-PNG.png?fit=max&auto=format&n=J3fbAL86NORw0g6D&q=85&s=4c397c8d43dbf2dd380a6a1c381f89d8" alt="CVSS Score Selection Flow PNG" width="5685" height="5590" data-path="images/CVSS Score Selection Flow-PNG.png" />

### Examples

[CVE-2025-12383](https://nvd.nist.gov/vuln/detail/CVE-2025-12383) has a Reference CNA CVSSv4 score of 9.4 and an NVD CVSSv3.x score of 7.4. The [Minimus advisory](https://images.minimus.io/advisories/CVE-2025-12383/severity?) lists the Reference CNA's score despite it being from a lesser authority because it uses the newer CVSS version.

[CVE-2025-66516](https://nvd.nist.gov/vuln/detail/CVE-2025-66516) has two competing CVSSv3 scores. The [Minimus advisory](https://images.minimus.io/advisories/CVE-2025-66516/severity?) lists the NVD score of 9.8 since it takes precedence over Contributor CNA analysis.

<Frame>
  <img src="https://mintcdn.com/gutsy-6162adbc/5BuNyXfEkURZtatN/images/CVSSv3-competing-scores.png?fit=max&auto=format&n=5BuNyXfEkURZtatN&q=85&s=1474dfa1d8bf11b84e2a37486813983c" alt="CVSSv3 Competing Scores" width="1214" height="318" data-path="images/CVSSv3-competing-scores.png" />
</Frame>

[CVE-2025-66506](https://nvd.nist.gov/vuln/detail/CVE-2025-66506) only offers a Contributor CNA score. This is also the severity listed in the [Minimus advisory](https://images.minimus.io/advisories/CVE-2025-66506/severity?).

<Frame>
  <img src="https://mintcdn.com/gutsy-6162adbc/5BuNyXfEkURZtatN/images/CVSSv3-contributor-score.png?fit=max&auto=format&n=5BuNyXfEkURZtatN&q=85&s=fbadfbabaeddae9e202d9dcfd002b658" alt="CVSSv3 Contributor Score" width="1200" height="300" data-path="images/CVSSv3-contributor-score.png" />
</Frame>

## Unknown severity

Vulnerabilities may be published in the NVD database before their official severity score is determined. In such cases, the severity is marked as unknown while the vulnerability awaits further analysis. It's crucial to note that vulnerabilities awaiting severity analysis have not necessarily been determined minor or unimportant during initial triage.

Some vulnerabilities will be evaluated by a Reference or Contributor CNA before they receive an official NVD score. In such cases, the CVE will still show an unknown score until an official severity score and vector are published by NVD (or a Provider CNA).

Over 2024, NVD reported a chronic backlog in severity assessments and took several steps to close the gap but the issue is not yet resolved. This situation only complicates the matter of vulnerability prioritization.

<Accordion title="Learn more about the CVE analysis backlog">
  * [NVD Dashboard showing the number of vulnerabilities reported and awaiting analysis](https://nvd.nist.gov/general/nvd-dashboard)
  * [NVD program announcement, April 2024](https://nvd.nist.gov/general/news/nvd-program-transition-announcement)
  * [CVE announcement authorizing vendors to publish CVSS scores under the CISA ADP program (CVE Authorized Data Publisher), June 2024](https://www.cve.org/Media/News/item/blog/2024/06/04/CISA-Added-as-CVE-Authorized-Data-Publisher)
</Accordion>