CVSS is an open standard for rating the severity of security vulnerabilities on a 0.0–10.0 scale. conda-cve.tech displays severities from public vulnerability advisories; it does not calculate scores itself.
High (7.5) is the CVSS v3 base score when provided.| Rating | Base score | Typical meaning |
|---|---|---|
| Critical | 9.0 – 10.0 | Severe impact, often easy to exploit remotely; patch urgently. |
| High | 7.0 – 8.9 | Serious compromise or high impact; prioritize remediation. |
| Medium | 4.0 – 6.9 | Meaningful but more constrained impact or harder exploitation. |
| Low | 0.1 – 3.9 | Limited impact; fix in normal maintenance windows. |
| Unknown | — | Advisory has no CVSS score yet — not the same as “safe.” |
MODERATE from some databases is shown as Medium.
The base score describes the vulnerability in isolation. It does not know whether your service is on the public internet, behind a firewall, or unused in your image. A Critical CVE in an unused library may be irrelevant; a Medium CVE on an exposed admin port may be urgent for you.
CVSS also defines temporal (exploit availability, patch status) and environmental (your asset value, exposure) scores. Those are rarely returned by the APIs conda-cve.tech returns; use the linked CVE advisory pages for deeper analysis.
Vector strings encode factors such as:
coverage.checked is true.