cvss4-scoringlisted

# CVSS v4.0 Scoring Guide ## Base Metrics ### Exploitability Metrics | Metric | Values | Notes | |---|---|---| | AV (Attack Vector) | N/A/L/P | Network=remotely exploitable; Physical=requires device | | AC (Attack Complexity) | L/H | H=requires specific conditions or luck | | AT (Attack Requirements) | N/P | P=target must be in non-default configuration | | PR (Privileges Required) | N/L/H | | | UI (User Interaction) | N/P/A | N=no user needed; A=user must actively engage | ### Impact Metrics (Vulnerable System) | Metric | Values | |---|---| | VC (Confidentiality) | H/L/N | | VI (Integrity) | H/L/N | | VA (Availability) | H/L/N | ### Impact Metrics (Subsequent Systems) | Metric | Values | Notes | |---|---|---| | SC (Confidentiality) | H/L/N | Impact on other systems in scope | | SI (Integrity) | H/L/N | | | SA (Availability) | H/L/N | | ## Common Findings — Quick Scores | Finding | CVSS v4.0 Vector | Score | |---|---|---| | Unauthenticated RCE | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H | 10.0 | | SQLi (auth bypass) | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | 9.3 | | Stored XSS (session hijack) | AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N | 7.1 | | Reflected XSS | AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | 5.3 | | SSRF (internal) | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N | 8.6 | | IDOR (read) | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | 7.1 | ## AI/LLM-Specific Scoring Standard CVSS