CVSS

CVSS (Common Vulnerability Scoring System) expresses the severity of a vulnerability as a number from 0.0 to 10.0, derived from factors like how easily it can be exploited and how much damage it enables. It is a useful triage signal — 9.0+ is critical — but it is not the whole story: a medium-scored bug that is being actively exploited against your exact stack outranks a critical one that isn't. Pair the score with real-world exploitation data.