Quick Reference
| Field | What It Answers | Example | Use It For |
|---|---|---|---|
| Severity | How serious is the technical impact? | Critical, High, Medium | First-pass triage and dashboards. |
| CVE | Which publicly disclosed vulnerability is this? | CVE-2024-3094 | Vendor advisories, patches, threat intelligence, and reporting. |
| CWE | What weakness category caused this? | CWE-89 SQL Injection | Root-cause analysis, secure coding, and prevention. |
| CVSS | How severe is the vulnerability under a standard scoring model? | 9.8 Critical | Comparing technical severity across tools and vendors. |
| EPSS | How likely is this CVE to be exploited in the wild soon? | 0.87, 97th percentile | Prioritizing vulnerabilities that attackers are more likely to use. |
| CISA KEV | Is there evidence of active exploitation? | Listed / Not listed | Urgent remediation and executive escalation. |
| OWASP Top 10 | Which broad web application risk category is this? | A03 Injection | Awareness, reporting, and program-level risk grouping. |
| OWASP WSTG | Which testing-guide area maps to this issue? | WSTG-INPV-05 | Manual validation and test planning. |
Severity
Severity is VulnScan’s categorical view of technical impact and exploitability. It helps users quickly filter and sort findings.| Level | Meaning | Typical Response |
|---|---|---|
| Critical | A serious issue that can commonly lead to system compromise, major data exposure, authentication bypass, or remote code execution. | Review immediately and assign an owner. |
| High | A high-impact weakness or exposed vulnerable component that is likely to matter in real environments. | Prioritize in the next remediation cycle. |
| Medium | A meaningful security weakness that usually needs context, chaining, or additional conditions. | Track and fix according to risk and ownership. |
| Low | A lower-impact issue or hardening gap. | Fix as part of hygiene or planned maintenance. |
| Info | Useful security context rather than a confirmed vulnerability. | Use for investigation and scope understanding. |
CVE
CVE stands for Common Vulnerabilities and Exposures. It is a globally used identifier for publicly disclosed cybersecurity vulnerabilities. A CVE ID gives teams a stable name for the same vulnerability across vendors, advisories, scanners, ticketing systems, and threat-intelligence feeds. For example, a vendor advisory, a patch note, and a VulnScan finding can all refer to the sameCVE-YYYY-NNNN identifier.
How to read it:
- A CVE identifies a disclosed vulnerability, not a weakness pattern.
- A CVE does not automatically prove that your exact system is exploitable.
- A CVE may affect multiple products, versions, platforms, or deployment modes differently.
- A CVE may exist before all scores, patches, or exploit intelligence are complete.
- Maps detected products and versions to known CVEs when there is enough concrete evidence.
- Adds references, severity scores, exploit intelligence, and remediation context where available.
- Avoids noisy wildcard-only matches when product/version evidence is too weak.
CWE
CWE stands for Common Weakness Enumeration. It classifies the underlying type of weakness that can lead to vulnerabilities. CWE is about the root cause or weakness category. For example, SQL injection is commonly mapped toCWE-89; path traversal is commonly mapped to CWE-22.
How to read it:
- CWE describes the type of mistake, design weakness, or implementation flaw.
- CWE is not a specific vulnerability instance.
- Many different CVEs can map to the same CWE.
- A finding without a CVE can still have a CWE because the issue may be a custom application weakness rather than a known vulnerable product.
- Groups findings by weakness type.
- Helps engineering teams understand why the issue exists.
- Supports OWASP Top 10 and reporting mappings.
- Helps teams identify recurring secure-development problems.
CVSS
CVSS stands for Common Vulnerability Scoring System. It provides a standard way to describe and score the technical severity of a vulnerability, usually on a 0.0 to 10.0 scale. How to read it:| Range | Common Rating |
|---|---|
| 9.0-10.0 | Critical |
| 7.0-8.9 | High |
| 4.0-6.9 | Medium |
| 0.1-3.9 | Low |
| 0.0 | None |
CVSS:3.1/AV:N/AC:L/.... The vector explains why the score was assigned, including factors such as network accessibility, attack complexity, required privileges, user interaction, and impact.
How VulnScan uses it:
- Displays CVSS when available from vulnerability intelligence.
- Uses CVSS as one input to severity and risk prioritization.
- Keeps CVSS separate from EPSS and KEV because technical impact is different from real-world exploitation likelihood.
- CVSS is not a probability score.
- CVSS is not specific to your business environment unless environmental scoring is available.
- A lower CVSS vulnerability can still be urgent if it is actively exploited, exposed to the Internet, or easy to chain.
EPSS
EPSS stands for Exploit Prediction Scoring System. It estimates the probability that exploitation activity for a vulnerability will be observed in the wild over the next 30 days. How to read it:- EPSS score is usually shown from 0 to 1, or as a percentage.
- Higher means exploitation is statistically more likely.
- Percentile shows how the CVE ranks compared with other scored vulnerabilities.
- EPSS changes over time as exploitation signals and vulnerability data change.
- Helps distinguish “severe but rarely exploited” from “likely to be exploited soon.”
- Raises prioritization when a finding has both meaningful impact and high exploitation probability.
- Supports remediation ordering when teams cannot fix everything at once.
- EPSS does not measure technical impact.
- EPSS does not know whether your exact asset is reachable or important.
- EPSS complements CVSS; it does not replace it.
CISA KEV
CISA KEV refers to the Known Exploited Vulnerabilities Catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency. A CVE appears in KEV when there is evidence that it has been exploited. KEV is one of the strongest signals that a vulnerability should be treated as urgent, especially when the affected asset is exposed or important. How VulnScan uses it:- Flags findings whose CVE appears in the KEV catalog.
- Uses KEV as a prioritization signal in risk scoring.
- Helps teams escalate vulnerabilities that are known to be used by attackers.
- Not being in KEV does not mean a vulnerability is safe.
- KEV is about known exploitation evidence, not every possible exploit.
- KEV should be combined with exposure, asset criticality, compensating controls, and patch availability.
OWASP Top 10
OWASP Top 10 is a widely used awareness document for web application security risks. It groups common and high-impact web application risk areas into ten broad categories. Examples of categories include broken access control, cryptographic failures, injection, security misconfiguration, vulnerable components, authentication failures, and SSRF. How VulnScan uses it:- Maps findings to the closest OWASP Top 10 category where evidence is available.
- Helps security teams communicate web application risk to developers and management.
- Supports program reporting, dashboards, and trend analysis.
- OWASP Top 10 is not a complete vulnerability list.
- It is a category model, not a scanner test name.
- A finding can be important even if it does not map cleanly to one OWASP Top 10 category.
OWASP WSTG
OWASP WSTG stands for Web Security Testing Guide. It is a testing methodology and reference for evaluating web application security controls. WSTG mappings help analysts understand how a finding relates to manual testing areas, such as input validation, authentication testing, session management, authorization testing, configuration testing, and business-logic testing. How VulnScan uses it:- Adds WSTG references when a finding maps to a recognized testing area.
- Helps analysts validate issues manually when needed.
- Helps teams align automated scan results with security testing programs.
- WSTG is not a severity score.
- WSTG mapping does not mean VulnScan ran every manual test in the guide.
- It is a reference that helps explain and reproduce the testing approach.
How to Prioritize Findings
Use these signals together:- Start with Critical and High severity.
- Escalate findings that are listed in CISA KEV.
- Prioritize high EPSS findings when they affect exposed systems.
- Use CVSS to compare technical severity across products.
- Use CWE and OWASP mappings to route issues to the right engineering owners.
- Use WSTG references for manual validation or deeper testing.
- Confirm business impact, exposure, authentication requirements, and compensating controls.