What does CVSS base score represent in vulnerability scoring?

The base score in CVSS represents the intrinsic severity of a vulnerability as it would affect a typical, standard environment. It’s built from factors that describe how the vulnerability can be exploited (attack vector, attack complexity, privileges required, user interaction) and the potential impact on confidentiality, integrity, and availability, with consideration of whether the impact stays within the affected component or could propagate (scope). The result is a numeric score from 0 to 10 that is meant to be environment-independent, providing a consistent severity rating across products. This matters because the base score is not a probability of exploitation, nor does it reflect how quickly a patch will be released or how many systems are affected. Those aspects are handled by temporal and environmental modifiers or risk context, which can adjust the base score after it’s established.