How is the target reachable? Network (AV:N) = remotely exploitable over internet — highest weight. Adjacent = same LAN/Bluetooth. Local = requires shell/login. Physical = hands-on device access.

Can you reproduce the attack reliably? Low (AC:L) = consistent, no special conditions (most web bugs). High = requires race conditions, specific config, or chaining with another bug to trigger.

Does the attacker need an account? None (PR:N) = unauthenticated — highest impact. Low = regular user (most IDOR/BOLA bugs). High = admin panel required. Weight increases in Changed scope.

Does a victim need to do something? None (UI:N) = attacker acts alone (IDOR, RCE, SQLi). Required (UI:R) = victim must click a link or open a file (Stored XSS, CSRF, phishing chains).

Can the vulnerability reach beyond the targeted component? Unchanged (S:U) = impact stays within app. Changed (S:C) = attacker pivots to other systems — e.g. SSRF → cloud metadata, XSS → session hijack beyond origin, sandbox escape.

Can the attacker read sensitive data? High = full dump (tokens, PII, source code, creds). Low = partial exposure (leaked IDs, metadata, partial response). None = no data exposed.

Can the attacker modify data or behavior? High = full write access — DB records, configs, code exec. Low = limited write (IDOR partial update, reflected payload). None = read-only bug.

Can the attacker take down the service? High = full DoS — crash, OOM, sustained 100% CPU. Low = degraded performance, rate-limited DoS. None = service unaffected.