CVSS Fragmentation

Purpose and context

This page provides regularly updated, quantitative evidence about CVSS score fragmentation in the NVD. “Fragmentation” means that the same CVE is not consistently scored across time and across CVSS versions (v2.0, v3.x, v4.0) - or lacks the parallel scores needed for consistent comparison.
Why it matters: fragmentation reduces comparability, complicates automation (mixed versions, gaps), and increases decision risk (fixed thresholds yield different worklists across versions). It also breaks time series and can hinder ML workflows that require stable labels.
Update schedule: the dataset and figures are recomputed monthly at the end of each month from the current NVD JSON feeds. Use the dropdown to select a snapshot date; all tables and figures update accordingly.

If you use these results or figures in your work, please cite (currently under review):

“Fragmentation of CVSS Scores in the NVD: A Quantitative Analysis of Inconsistency Across Vulnerability Scoring Standards”, Michał Walkowski, Maciej Nowak, Artur Balsam, Kacper Nowak, Jacek Oko, Sławomir Sujecki.

Methodology (concise)

Data source and scope: NVD JSON feeds (CVE 5.0 model), all CVEs 1988 - present at the snapshot. Fully automated acquisition and deterministic transforms; duplicates removed; basic checks of vectorString syntax for version compliance.
Version sets: per‑version coverage and a v3.x union (v3.1 preferred over v3.0 for single‑number representatives). Intersections (e.g., v2∩v3.x∩v4) and coverage gaps (e.g., “v3.x without v2.0”).
Severity mapping: 5 classes - Informational (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0). Records without a base score for a given version are excluded from that version’s severity distribution but counted in global totals where appropriate.
Cross‑version comparisons: summary differences (v3.x - v2.0), v3.0 vs v3.1 agreement, and correlations by version pairs on their common domains. Temporal views compute annual coverage and annual means by version.

Tip: Use the dropdown to pick a month‑end snapshot.

Examples of version-dependent severity changes

These three CVEs illustrate how severities vary across CVSS versions. In v3.1, one case escalates from High to Critical (CVE‑2021‑22566: 7.5→9.8), one remains Low (CVE‑2024‑10122: 3.3→2.7), and one remains High with a minor change (CVE‑2024‑10156: 7.5→7.3). In v4.0, all three are Medium (5.1 / 5.1 / 6.9). Depending on policy thresholds (e.g., handling High/Critical within a set timeframe), the set of prioritized items can differ between versions.

CVE ID	v2.0	v3.0	v3.1	v4.0
CVE-2021-22566	High (7.5)	-	Critical (9.8)	Medium (5.1)
CVE-2024-10122	Low (3.3)	-	Low (2.7)	Medium (5.1)
CVE-2024-10156	High (7.5)	-	High (7.3)	Medium (6.9)

Select snapshot date

Severity changes summary

This table summarizes the prevalence of severity changes across the complete NVD‑derived dataset. The data indicate that roughly a quarter of analyzed CVEs change severity across versions, with over a hundred distinct change patterns. Common transitions include Medium→High when moving from v2.0 to v3.x; for records with v4.0, scores often re‑center around Medium. These observations suggest that severity shifts are systematic and relevant for long‑term and cross‑version analyses.

Metric	Value
Loading…

Coverage by CVSS versions

This table lists counts and percentages of CVE records with any CVSS score and by version (v2.0, v3.x, v4.0) for the selected snapshot; the accompanying figure provides a visual breakdown.

Item	Count	Percent [%]
Loading…

Coverage by CVSS versions.

Version coverage

This table lists counts and percentages of CVE records by CVSS version for the selected snapshot, including share of all CVEs and share of records with any CVSS score.

Version	Count	% of all CVEs	% of scored
Loading…

Intersections

This table lists counts and percentages for intersections of CVSS coverage across versions (v2.0 ∩ v3.x, v2.0 ∩ v4.0, v3.x ∩ v4.0, and v2.0 ∩ v3.x ∩ v4.0) for the selected snapshot.

Intersection	Count	% of all CVEs	% of v2	% of v3.x	% of v4
Loading…

Coverage gaps

This table lists counts and percentages for gaps where a CVSS version is present while another is absent, reported per version pair for the selected snapshot.

Gap	Count	% of set
Loading…

Severity comparison for v2.0 ∩ v3.x ∩ v4.0

This table lists per‑severity counts and column percentages for CVSS v2.0, v3.0, v3.1, and v4.0 base scores within the v2.0 ∩ v3.x ∩ v4.0 set for the selected snapshot; the figure below provides a visual comparison of the same categories.

Severity	CVSS v2.0	CVSS v3.0	CVSS v3.1	CVSS v4.0
Loading…

Severity distribution comparison (v2.0, v3.1, v4.0).

CVSS 3.0 vs 3.1 severity distribution (comparison)

This table compares per‑severity counts and percentages for CVSS v3.0 and v3.1 base scores for the selected snapshot; the figure below provides a visual comparison of the same categories.

Severity	v3.0		v3.1
	count	%	count	%
Loading…

CVSS 3.0 vs 3.1 severity distribution (comparison).

CVSS v2.0 severity distribution

This table lists per‑severity counts and percentages for CVSS v2.0 base scores for the selected snapshot; the figure below shows the base‑score distribution.

Severity	Count	Percent [%]
Loading…

CVSS v2.0 base score distribution.

CVSS v3.x severity distribution

This table lists per‑severity counts and percentages for CVSS v3.x base scores for the selected snapshot; the figures below show base‑score distributions for v3.0 and v3.1.

Severity	Count	Percent [%]
Loading…

CVSS v3.0 base score distribution.

CVSS v3.1 base score distribution.

CVSS v4.0 severity distribution

This table lists per‑severity counts and percentages for CVSS v4.0 base scores for the selected snapshot; the figure below shows the base‑score distribution.

Severity	Count	Percent [%]
Loading…

CVSS v4.0 base score distribution.

CVSS version coverage by publication year

This table lists counts and percentages of CVE records with CVSS coverage by publication year for the selected snapshot; the figures below show CVE counts per year and the CVSS version coverage trend.

Year	Total	v2.0 [%]	v3.x [%]	v4.0 [%]
Loading…

CVE count per year (published).

CVSS version coverage trend over time.

Mean base score by year

This table lists mean CVSS base scores by year for v2.0, v3.x, and v4.0 (base scores only), along with the difference between v3.x and v2.0, for the selected snapshot.

Year	Mean v2.0	Mean v3.x	Mean v4.0	Difference (v3.x − v2.0)
Loading…

v3.x − v2.0 base score differences

This table lists summary statistics for Δ = baseScore(v3.x) − baseScore(v2.0) on the common intersection set; the histogram below shows the distribution of pointwise differences.

Metric	Value
Loading…

Distribution of differences Δ = baseScore(v3.x) − baseScore(v2.0)

Empirical cumulative distribution of differences (Δ)

Correlation of v2.0 vs v3.x scores

Differences Δ by CVSS v2.0 severity category