CVSS

CVSS produces a 0–10 base score from exploitability and impact metrics: Critical 9.0–10, High 7.0–8.9, Medium 4.0–6.9, Low 0.1–3.9. The base score is intentionally context-free, so apply Temporal (is an exploit available?) and Environmental (how exposed is this asset?) metrics to your situation. CVSS alone is not a prioritization plan — pair it with exploitation likelihood signals like EPSS and the CISA KEV list.