Why CVSS scores often miss the real threat

A high CVSS score does not mean a vulnerability actually threatens you. A low one does not mean you can ignore it. CVSS is a useful standard for rating vulnerabilities, but treated as the only criterion it can send your budget and your team's attention to the wrong place. Here is where CVSS falls short, what JFrog's analysis found, and how to prioritize vulnerabilities closer to real risk.
What CVSS is and why it exists
The Common Vulnerability Scoring System (CVSS) is an open standard for rating the severity of vulnerabilities, maintained by FIRST. It gives a flaw a numeric score meant to help set the order of patching.
The NVD, run by NIST, assigns and publishes many of these scores. Security teams use them daily to judge urgency. The trouble starts when the number becomes the only thing a decision rests on.
What the JFrog analysis found
In 2022, JFrog analyzed the 50 most common vulnerabilities (CVEs) in open source software and compared the public CVSS scores against its own assessment of real-world impact. The gaps were large.
- Overstated severity. In 64% of cases the real impact was lower than the NVD score suggested. Companies then pour resources into fixing flaws that mean little in their environment.
- Take CVE-2022-3602. This flaw in X.509 certificate verification was first rated critical. A closer look showed marginal impact, because exploiting it in practice was very hard.
- Underrated flaws. Some common vulnerabilities that are dangerous in practice carried low CVSS scores. Those get deferred, and over time they turn into a real attack vector.
Why the score alone is not enough
CVSS has three limitations.
- No context. The same bug means one thing on an isolated internal system and something else on a service exposed to the internet. The base CVSS score does not see that.
- Attack complexity is simplified. A flaw that needs advanced knowledge or a chain with another bug can still get a high score, even though on its own it is hard to exploit.
- A static model. The score does not change over time. A new attack technique raises the real risk and an available patch lowers it, but the number stays the same until someone updates it by hand.
What this means for your company
Sticking only to CVSS scores has a measurable cost:
- you patch less important flaws while more dangerous ones wait in line,
- your security budget goes where it does not reduce real risk,
- vulnerabilities with a low score but high real impact sit in your systems for months.
CVSS 4.0 and where things are heading
The newer version of the standard, CVSS 4.0, is meant to address part of this. It adds urgency ratings from the product's maker, along with metrics that account for environmental conditions and exploit maturity.
The standard's own authors admit CVSS is not a complete answer. It is one tool among several, and you have to combine it with threat analysis and knowledge of your own environment.
How to prioritize vulnerabilities sensibly
- Rate in context. Factor in where the system runs, how it is exposed, and how critical the data it handles is.
- Keep the rating current. Track whether a working exploit or a patch has appeared, and reprioritize as you go.
- Combine sources. Treat CVSS as one part of wider risk management, alongside threat analysis and asset criticality.
The surest way to learn which flaws can actually be exploited in your setup is a penetration test. It shows real attack paths, not just a list of scores. Book a free consultation and let us find where the risk in your environment is genuinely high.
Book a free consultation and, in a penetration test, we will show which vulnerabilities can really be exploited in your environment.