Table of Contents
Concepts
CVSS
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It produces a numerical score from 0.0 to 10.0 reflecting the severity of a vulnerability, along with a textual vector string that represents the specific metric values used to derive that score.
CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. The Temporal group reflects characteristics that change over time, and the Environmental group represents characteristics unique to a user’s environment.
The WPVulnerability API provides Base metrics for CVSS versions 2.0, 3.0, 3.1, and 4.0.
EPSS
The Exploit Prediction Scoring System (EPSS) estimates the probability (0.0 to 1.0) that a vulnerability will be exploited in the wild within the next 30 days. Unlike CVSS, which measures severity, EPSS focuses on the likelihood of exploitation, making the two systems complementary.
KEV
The CISA Known Exploited Vulnerabilities (KEV) catalog is a curated list of CVEs maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for which there is confirmed evidence of real-world exploitation. Unlike CVSS (which measures how severe a vulnerability is) or EPSS (which predicts how likely it is to be exploited), KEV is a binary signal: the vulnerability is either confirmed exploited or it is not in the catalog. The catalog was established in November 2021 under Binding Operational Directive (BOD) 22-01.
CWE
Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weakness types. It serves as a common language for describing vulnerabilities, and is used as a classification baseline for identification, mitigation, and prevention efforts. There are around 1,000 identifications.
Severity levels
CVSS scores translate to severity labels. The thresholds differ between version 2 and versions 3/4:
| Score range | CVSS 2.0 severity | CVSS 3.x / 4.0 severity |
|---|---|---|
| 0.0 | low | none |
| 0.1 — 3.9 | low | low |
| 4.0 — 6.9 | medium | medium |
| 7.0 — 8.9 | high | high |
| 9.0 — 10.0 | high | critical |
Data sources
| Source | cvss (legacy) | cvss2 | cvss3 | cvss4 | epss | kev |
|---|---|---|---|---|---|---|
| CVE (NVD) | v3 only | — | 98% of WP CVEs | — | — | — |
| EUVD | — | 24% of records | 71% of records | 5% of records | 83% | — |
| CISA KEV | — | — | — | — | — | ✓ |
| JVN | — | — | — | — | — | — |
| PAT (Patchstack) | — | — | — | — | — | — |
| WPS (WPScan) | — | — | — | — | — | — |
| WFN (Wordfence) | — | — | — | — | — | — |
CVSS 4.0
CVSS 4.0 is the latest version of the scoring system. It replaces the single Scope metric from v3 with separate Vulnerable System and Subsequent System impact metrics, and introduces Attack Requirements (at) as a new metric.
Data source: EUVD only. Metrics are parsed from the vector string.
Vector format: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Attack Vector (AV)
Reflects the context by which vulnerability exploitation is possible. The score is greater the more remote an attacker can be.
- Network (N): Exploitable from across the network, including the entire Internet.
- Adjacent (A): Limited to a logically adjacent topology (same LAN, Bluetooth, local subnet).
- Local (L): Requires local access or relies on user interaction (e.g., opening a malicious file).
- Physical (P): Requires physical access to the device.
Attack Complexity (AC)
Conditions beyond the attacker’s control that must exist to exploit the vulnerability.
- Low (L): No specialized conditions required. Repeatable success expected.
- High (H): Success depends on conditions the attacker cannot control (e.g., gathering target configuration data, preparing the environment, winning a race condition).
Attack Requirements (AT)
New in CVSS 4.0. Captures prerequisites that must be in place in the vulnerable system’s deployment environment for the attack to succeed.
- None (N): No additional deployment requirements.
- Present (P): Specific deployment conditions must exist (e.g., a particular configuration, a race condition in the target environment).
Privileges Required (PR)
Level of privileges an attacker must possess before exploitation.
- None (N): No privileges required.
- Low (L): Basic user-level privileges.
- High (H): Administrative-level privileges.
User Interaction (UI)
Whether a human user besides the attacker must participate.
- None (N): No user interaction required.
- Passive (P): The user must passively interact (e.g., visit a page).
- Active (A): The user must actively perform a specific action.
Vulnerable System Impact (VC / VI / VA)
Impact on the vulnerable system itself, replacing v3’s C/I/A metrics.
- VC — Confidentiality:
none,low,high - VI — Integrity:
none,low,high - VA — Availability:
none,low,high
Subsequent System Impact (SC / SI / SA)
Impact on systems beyond the vulnerable component, replacing v3’s Scope concept.
- SC — Confidentiality:
none,low,high - SI — Integrity:
none,low,high,safety - SA — Availability:
none,low,high,safety
The value safety indicates impact on human safety (new in v4.0).
Score and Severity
Score ranges from 0.0 to 10.0. Severity labels: none, low, medium, high, critical.
Value mapping
| Metric | Code | Full value |
|---|---|---|
| AV | N | network |
| AV | A | adjacent |
| AV | L | local |
| AV | P | physical |
| AC | L | low |
| AC | H | high |
| AT | N | none |
| AT | P | present |
| PR | N | none |
| PR | L | low |
| PR | H | high |
| UI | N | none |
| UI | P | passive |
| UI | A | active |
| VC/VI/VA/SC/SI/SA | N | none |
| VC/VI/VA/SC/SI/SA | L | low |
| VC/VI/VA/SC/SI/SA | H | high |
| SI/SA | S | safety |
CVSS 3.0 / 3.1
CVSS v3.0 and v3.1 share the same metric structure; the version field distinguishes them. Values in the API use full human-readable strings.
Data sources: CVE/NVD (all fields including sub-scores) and EUVD (metrics parsed from vector; sub-scores not available).
Vector format: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV)
Reflects the context by which vulnerability exploitation is possible.
- Network (N): Exploitable from across the network, up to and including the entire Internet. Often termed “remotely exploitable” — an attack at the protocol level one or more network hops away.
- Adjacent (A): Limited to a logically adjacent topology — same shared physical or logical network, or within a secure administrative domain.
- Local (L): The attacker’s path is via read/write/execute capabilities. Requires local access (keyboard, console, SSH) or relies on user interaction (e.g., social engineering to open a malicious document).
- Physical (P): Requires the attacker to physically touch or manipulate the device.
Attack Complexity (AC)
Conditions beyond the attacker’s control that must exist to exploit the vulnerability.
- Low (L): No specialized conditions. Repeatable success expected.
- High (H): Success depends on conditions the attacker cannot control — gathering environment knowledge, preparing the target, or injecting into the network path.
Privileges Required (PR)
Level of privileges an attacker must possess before exploitation.
- None (N): No privileges required.
- Low (L): Basic user-level capabilities.
- High (H): Administrative control over the component.
User Interaction (UI)
Whether a human user besides the attacker must participate.
- None (N): No user interaction required.
- Required (R): A user must take some action before exploitation is possible.
Scope (S)
Whether exploitation of the vulnerable component impacts resources beyond its security scope.
- Unchanged (U): Impact is limited to the vulnerable component’s own security scope.
- Changed (C): Impact extends beyond the vulnerable component to other components managed by different security authorities.
Confidentiality (C)
Impact on the confidentiality of information managed by the component.
- High (H): Total loss of confidentiality — all resources divulged, or restricted information with direct serious impact is disclosed.
- Low (L): Some loss of confidentiality. Limited access to restricted information without direct serious impact.
- None (N): No loss of confidentiality.
Integrity (I)
Impact on the integrity of information.
- High (H): Total loss of integrity or complete loss of protection.
- Low (L): Modification of data is possible but limited in scope or consequence.
- None (N): No loss of integrity.
Availability (A)
Impact on the availability of the component.
- High (H): Total loss of availability — the attacker can fully deny access to resources.
- Low (L): Performance is reduced or there are interruptions, but service is not fully denied.
- None (N): No impact to availability.
Score and Severity
Score ranges from 0.0 to 10.0. Severity labels: none, low, medium, high, critical.
Exploitability and Impact sub-scores
Two additional sub-scores are available when data comes from CVE/NVD:
- Exploitability: 0.0 to 10.0 — how easy the vulnerability is to exploit.
- Impact: 0.0 to 10.0 — the overall impact of exploitation.
These fields are null when data comes from EUVD (sub-scores are not available from that source).
Value mapping
| Metric | Code | Full value |
|---|---|---|
| AV | N | network |
| AV | A | adjacent |
| AV | L | local |
| AV | P | physical |
| AC | L | low |
| AC | H | high |
| PR | N | none |
| PR | L | low |
| PR | H | high |
| UI | N | none |
| UI | R | required |
| S | U | unchanged |
| S | C | changed |
| C/I/A | N | none |
| C/I/A | L | low |
| C/I/A | H | high |
CVSS 2.0
CVSS 2.0 predates the modern metric model. It uses Authentication (au) instead of Privileges Required / User Interaction, and its Confidentiality / Integrity / Availability values are none / partial / complete rather than none / low / high. Severity has only three levels (no Critical).
Data source: EUVD only. No CVSS v2 data is stored for CVE/NVD.
Vector format: no version prefix — e.g. AV:N/AC:L/AU:N/C:P/I:P/A:P
Access Vector (AV)
- Network (N): Exploitable from across the network.
- Adjacent (A): Limited to an adjacent network.
- Local (L): Requires local access.
Access Complexity (AC)
- Low (L): No specialized conditions required.
- Medium (M): Some conditions required.
- High (H): Specialized conditions required.
Authentication (AU)
The number of times an attacker must authenticate to exploit the vulnerability. This metric is unique to CVSS v2 — it has no equivalent in v3 or v4.
- None (N): No authentication required.
- Single (S): Single authentication required.
- Multiple (M): Multiple authentications required.
Confidentiality (C)
- None (N): No impact.
- Partial (P): Considerable informational disclosure, but scope is limited.
- Complete (C): Total information disclosure.
Integrity (I)
- None (N): No impact.
- Partial (P): Modification of some system files or information is possible.
- Complete (C): Total compromise of system integrity.
Availability (A)
- None (N): No impact.
- Partial (P): Reduced performance or interruptions.
- Complete (C): Total shutdown of the resource.
Score and Severity
Score ranges from 0.0 to 10.0. Severity labels (three levels only): low (0.0–3.9), medium (4.0–6.9), high (7.0–10.0).
Value mapping
| Metric | Code | Full value |
|---|---|---|
| AV | N | network |
| AV | A | adjacent |
| AV | L | local |
| AC | L | low |
| AC | M | medium |
| AC | H | high |
| AU | N | none |
| AU | S | single |
| AU | M | multiple |
| C/I/A | N | none |
| C/I/A | P | partial |
| C/I/A | C | complete |
EPSS
EPSS (Exploit Prediction Scoring System) estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. The value ranges from 0.0 to 1.0.
- Populated from EUVD data when available (83% of EUVD records).
nullfor CVE, JVN, PAT, WPS, and WFN sources.- Top-level field inside
impact, not nested inside anycvss*block.
KEV
The CISA Known Exploited Vulnerabilities (KEV) catalog is the authoritative source of vulnerabilities confirmed to have been exploited in the wild. It is maintained by the U.S. Cybersecurity and Infrastructure Security Agency under Binding Operational Directive (BOD) 22-01.
KEV is a binary indicator: a vulnerability either appears in the catalog (confirmed exploited) or it does not. It does not assign scores or severity levels.
Inclusion criteria
All three conditions must be met for a CVE to be added to the KEV catalog:
- The vulnerability has a CVE ID assigned.
- There is reliable evidence of exploitation in the wild (attempted or successful).
- There is a clear remediation action available (vendor patch, mitigation, or discontinue use).
Public availability of proof-of-concept code, scanner detections, or theoretical exploitability alone do not qualify for inclusion.
How it complements CVSS and EPSS
CVSS, EPSS, and KEV answer three different questions about the same vulnerability:
| System | Question it answers | Type |
|---|---|---|
| CVSS | How severe is this vulnerability? | Score (0.0 — 10.0) |
| EPSS | How likely is it to be exploited in the next 30 days? | Probability (0.0 — 1.0) |
| KEV | Has it already been exploited in the wild? | Binary (yes / no) |
Using all three together provides a three-dimensional view of risk. A vulnerability can have a medium CVSS score but appear in KEV, meaning it is actively exploited despite not being the most severe on paper. Conversely, a critical CVSS score with no KEV entry and low EPSS probability may be less urgent in practice.
Data format
Each KEV entry from CISA contains the following fields:
| Field | Description |
|---|---|
cveID | The CVE identifier |
vendorProject | Vendor or project name |
product | Affected product |
vulnerabilityName | Official vulnerability name |
shortDescription | Description of the vulnerability |
dateAdded | Date CISA added the entry to the catalog |
dueDate | Remediation deadline (for federal agencies under BOD 22-01) |
requiredAction | Recommended remediation action |
knownRansomwareCampaignUse | "Known" or "Unknown" |
notes | Links to advisories and additional context |
When the vulnerability’s CVE is not present in the KEV catalog, the kev field is null.
CWE
CWE (Common Weakness Enumeration) is a community-developed list of software and hardware weakness types. Each vulnerability can reference one or more CWE entries.
| Field | Type | Description |
|---|---|---|
cwe | string | CWE identifier (e.g. CWE-89) |
name | string | Short name of the weakness |
description | string | Description of the weakness |