Expert insights on AI-powered coding security, vibe-based development practices, and protecting AI-generated web applications from vulnerabilities.

· · 2 min read

What Is CVSS (Common Vulnerability Scoring System)?

CVSS vulnerabilities security risk assessment
Common Vulnerability Scoring System (CVSS) : A standardized framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0. CVSS scores consider attack vector, complexity, required privileges, user interaction, scope, and impact on confidentiality, integrity, and availability. Scores are categorized as None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).

Why It Matters for AI-Coded Apps

When SCA tools flag dozens of vulnerable dependencies in a vibe-coded project, CVSS scores help prioritize fixes. A Critical (9.0+) CVE in a direct dependency needs immediate attention. A Low (2.0) CVE in an unused transitive dependency can wait. Without CVSS, developers either fix everything (wasting time) or nothing (accepting risk).

Real-World Example

Log4Shell (CVE-2021-44228) received a CVSS score of 10.0 (Critical) because: network-accessible (Attack Vector: Network), no special conditions needed (Attack Complexity: Low), no authentication required (Privileges Required: None), no user interaction needed, and it enables remote code execution (Impact: High on all three CIA metrics).

How to Detect and Prevent It

Use CVSS scores to prioritize vulnerability remediation. Fix Critical and High severity issues immediately. Address Medium issues within a sprint. Track Low issues but fix them during maintenance cycles. Consider exploitability – a High CVSS vulnerability with no known exploit is lower priority than a Medium one being actively exploited.

Frequently Asked Questions

What is a good CVSS score?

Lower is better. A CVSS score of 0.0 means no vulnerability. In practice, most production applications aim to have no Critical (9.0+) or High (7.0+) vulnerabilities in direct dependencies. Medium vulnerabilities should be tracked and addressed. Low vulnerabilities are informational.

Is CVSS the only way to prioritize vulnerabilities?

CVSS provides a base severity score but does not account for your specific context. EPSS (Exploit Prediction Scoring System) estimates the probability of exploitation. SSVC (Stakeholder-Specific Vulnerability Categorization) considers business context. Use CVSS as a starting point and adjust based on exploitability and your specific risk.

How do SCA tools use CVSS?

SCA tools query vulnerability databases (NVD, GitHub Advisory Database) and display the CVSS score for each finding. Most tools let you set policies: block merges with Critical/High CVEs, warn on Medium, and ignore Low. This automates prioritization and prevents the most severe issues from reaching production.

Scan your app for security issues automatically

Vibe Eval checks for 200+ vulnerabilities in AI-generated code.

Try Vibe Eval

AI Coding Security Insights.
Ship Vibe-Coded Apps Safely.

Effortlessly test and evaluate web application security using Vibe Eval agents.

GET STARTED GET A DEMO