NVD Explained: How to Read Vulnerability Reports Using CVSS and EPSS
The National Vulnerability Database (NVD) is where every CVE entry lives. Here is what each field means, how CVSS impact scores are calculated, and how EPSS tells you whether anyone is actively exploiting it right now.
Key Takeaway
NVD (National Vulnerability Database) enriches each CVE with CVSS base scores and CIA impact scores on a 0-10 scale. EPSS adds a daily exploit-probability score (0-1). Use both together: a Medium CVSS score with EPSS above 0.1 should be treated as High. Look up every CVE at nvd.nist.gov before deciding how fast to patch.
What Is the NVD?
The National Vulnerability Database (NVD)is NIST's public repository of known software vulnerabilities. When a CVE ID is assigned-by MITRE or a CVE Numbering Authority-the NVD picks it up and adds CVSS scores, affected product ranges, and remediation references.
When your security scanner reports CVE-2024-12345 with a score of 8.1, that number came from NVD. The NVD database is searchable at nvd.nist.gov, and every entry has the same structure: a plain-language description, CVSS v3.1 base score with subscores, and a list of affected software versions in CPE (Common Platform Enumeration) format.
Why does this matter in practice? Because the NVD entry is where you find out which versions are vulnerable, whether a patch exists, and how severe the real-world impact is-not just a number out of ten.
CVSS Base Score and Impact Score
CVSS (Common Vulnerability Scoring System) rates vulnerability severity on a 0-10 scale, maintained by FIRST.org. The base score is built from two groups of metrics.
Exploitability metrics:
- Attack Vector (AV). Network (remote), Adjacent (local network), Local (physical access), or Physical. Network-based vulnerabilities are the most dangerous-anyone on the internet can attempt them.
- Attack Complexity (AC). Low means no special conditions. High means the attacker needs a race condition or specific configuration to land the exploit.
- Privileges Required (PR). None, Low (regular user), or High (admin). None is worst-it means unauthenticated attacks.
- User Interaction (UI). None means fully automated exploitation. Required means a victim must click a link or visit a page.
Impact metrics (the "impact score" portion of an NVD entry):
| Impact Dimension | What It Measures | High Means |
|---|---|---|
| Confidentiality | Can the attacker read data? | Full database access, password leaks |
| Integrity | Can they modify data? | Arbitrary writes, tampered records |
| Availability | Can they crash the system? | DoS, server crash, resource exhaustion |
A SQL injection vulnerability on a user database would score High on all three-full read, full write, and potential DoS. That pushes the base score to 9+ (Critical). A missing Referrer-Policy header scores Low on confidentiality and nothing on integrity or availability-that lands in the 3-4 range (Low-Medium).
You can calculate scores yourself using the FIRST.org CVSS v3.1 Calculator.
Severity bands:
| Level | CVSS Range | Action |
|---|---|---|
| Critical | 9.0 - 10.0 | Fix immediately. Drop what you're doing. |
| High | 7.0 - 8.9 | Fix this week. |
| Medium | 4.0 - 6.9 | Schedule in current sprint. |
| Low | 0.1 - 3.9 | Address opportunistically. |
EPSS: Predicting Exploit Likelihood
CVSS measures severity. EPSS measures probability. EPSS (Exploit Prediction Scoring System) is a 0-1 daily score that estimates the probability a CVE will be exploited in the wild within the next 30 days. It is published by FIRST.org and updated every 24 hours based on observed threat intelligence.
Here is why this changes your prioritization: a CVE with CVSS 7.5 and EPSS 0.03 is lower priority than a CVE with CVSS 5.5 and EPSS 0.68. The second one has active exploitation happening right now, despite a lower severity score.
A practical rule:
- EPSS < 0.05 - base priority on CVSS alone
- EPSS 0.05-0.1 - watch and patch within normal timeline
- EPSS > 0.1 - treat as one severity level higher than CVSS suggests
- EPSS > 0.5 - active exploitation likely; treat as Critical regardless of CVSS
Most modern scanners pull EPSS automatically and include it alongside the CVSS score. If yours does not, look up any CVE at first.org/epss or via the EPSS API at api.first.org.
Looking Up a CVE in the NVD Database
When a security report lists a CVE ID, this is the lookup flow:
- Go to nvd.nist.gov and search the CVE ID (e.g.
CVE-2024-12345) - Read the description-confirm your software and version are in the affected range
- Note the CVSS v3.1 base score and the three CIA impact subscores
- Check the CPE entries-these list exact affected versions as machine-readable identifiers
- Open the References section and find the vendor advisory or patch link
- Cross-check EPSS if your scanner did not include it
The NVD database CPE entries are how automated scanners match CVEs to your specific stack. If your scanner reports a CVE but you are running a version outside the affected range, check the CPE list before investing time in a patch that does not apply to you.
Prioritizing Fixes
Use CVSS and EPSS together. This table covers most situations:
| CVSS Level | EPSS | Priority |
|---|---|---|
| Critical (9+) | Any | Fix within hours. Not days. |
| High (7-8.9) | > 0.1 | Fix this week. |
| High (7-8.9) | < 0.1 | Fix this sprint. |
| Medium (4-6.9) | > 0.1 | Treat as High-this sprint. |
| Medium (4-6.9) | < 0.1 | Next sprint. |
| Low (0.1-3.9) | Any | Backlog-address when touching related code. |
Context adjusts everything. A Medium CORS misconfiguration on a static marketing page is genuinely medium. The same misconfiguration on your payments API is effectively Critical-same CVSS, different blast radius. Always factor in what data or capability is exposed, not just the raw score from NVD.
When you run a scan with ismycodesafe.com, each finding includes the mapped NVD CVE ID, CVSS base score, and remediation guidance. Start with the Critical and High findings, look them up in the NVD database to verify your version is affected, then work down the list using the EPSS-adjusted priority above.
Check your website right now
110 security checks in 60 seconds. Free, no signup required.
Scan My Website (Free)ismycodesafe.com Security Team
We run automated security scans on thousands of websites daily, combining static analysis, SSL/TLS inspection, header auditing, and CVE lookups. Our team tracks OWASP, NIST, and evolving compliance requirements (GDPR, NIS2, PCI DSS) to keep these guides accurate and practical.