The Common Vulnerability Scoring System (CVSS) is an open framework for rating the severity of security vulnerabilities in computing systems. Scores are calculated based on a formula with several metrics that approximate ease and impact of an exploit. It assigns scores ranging from 0 to 10, with 10 indicating the most severe. While many use only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.

The current version of CVSS (CVSSv4.0) was released in November 2023.

CVSS is not intended to be used as a method for patch management prioritization, but is used like that regardless. A more effective approach is to integrate CVSS with predictive models like the Exploit Prediction Scoring System (EPSS), which helps prioritize remediation efforts based on the likelihood of real-world exploitation.

Research by the National Infrastructure Advisory Council (NIAC) in 2003/2004 led to the launch of CVSS version 1 (CVSSv1) in February 2005, with the goal of being "designed to provide open and universally standard severity ratings of software vulnerabilities". This initial draft had not been subject to peer review or review by other organizations. In April 2005, NIAC selected the Forum of Incident Response and Security Teams (FIRST) to become the custodian of CVSS for future development.

Feedback from vendors using CVSSv1 in production suggested there were "significant issues with the initial draft of CVSS". Work on CVSS version 2 (CVSSv2) began in April 2005 with the final specification being launched in June 2007.

Further feedback resulted in work beginning on CVSS version 3 in 2012, ending with CVSSv3.0 being released in June 2015.

The CVSS assessment measures three areas of concern:

A numerical score is generated for each of these metric groups. A vector string (or simply "vector" in CVSSv2) represents the values of all the metrics as a block of text.