What Is a 10 Out of 10? The Perfect CVSS Score
A clean 10.0 in CVSS is rare and follows an exact combination of metrics. What makes the perfect score, and why most findings stall at 9.8.
The Number at the End of Every Report
Every serious pentest report and every CVE record ends with a number between 0.0 and 10.0. From 9.0 upward, CVSS calls a vulnerability critical, and most dangerous flaws land in that range. A clean 10.0 is still rare. It is not a rounding artifact and not an analyst's gut feeling, but the result of one very specific combination of metrics that all have to sit at their worst value at the same time. This article shows which metrics those are, why most severe findings stall at 9.8, and what the difference actually means in practice.
Which Metrics Force a 10.0
In CVSS 3.1, the base score is built from eight base metrics. For the maximum rating, all eight have to take their worst possible value. The corresponding vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network (N) | reachable over the network, no local access needed |
| Attack Complexity | Low (L) | no special preconditions or race conditions |
| Privileges Required | None (N) | no authentication required at all |
| User Interaction | None (N) | no action by a victim needed |
| Scope | Changed (C) | the impact reaches beyond the vulnerable component |
| Confidentiality | High (H) | total loss of confidentiality |
| Integrity | High (H) | total loss of integrity |
| Availability | High (H) | total loss of availability |
In one sentence: an unauthenticated attacker reaches the target over the network, needs neither a trick nor the cooperation of any user, and ends up owning not just the affected application but everything behind it. That is the profile of a classic unauthenticated remote code execution. Anyone who wants to follow the score themselves can assemble the vector step by step in the official CVSS calculator by FIRST.org.
The Fine Line Between 9.8 and 10.0
This is where the most common misconception sits. A great many RCE flaws rated as critical carry a 9.8, not a 10.0, even though they are devastating in every respect. The only difference lies in a single metric, namely Scope.
With S:U (Scope Unchanged), the damage stays within the same security domain as the vulnerable component. An application is fully compromised, but the impact ends at its own boundary. That case, with otherwise maximal values, produces a 9.8. With S:C (Scope Changed), the impact jumps beyond the boundary of the vulnerable component, for instance when a hijacked service takes over the entire host system, the hypervisor, or neighboring containers. Only this crossover lifts the otherwise identical flaw from 9.8 to 10.0.
So whenever you read a genuine 10.0 in a report, you already know one thing for certain without any further context: the flaw breaks out of its own area of responsibility and drags other systems down with it.
Log4Shell as the Textbook Example
The most famous real 10.0 of recent years is Log4Shell (CVE-2021-44228). The NVD assigned exactly the vector shown above. A seemingly harmless logging library executed arbitrary code through a JNDI lookup as soon as it logged an attacker-controlled string. The impact reached not only the log component itself, but the entire Java process and, through it, the underlying infrastructure. It is precisely this crossover into foreign components that justifies the S:C and therefore the full maximum rating. The combination of trivial triggering through a single string, missing authentication, and complete system takeover made Log4Shell the prime example of how a 10.0 comes about.
Counter-Check: Why Our Argo CD Flaw Was Only a 7.3
The score only becomes tangible in a direct comparison. The stored XSS in Argo CD that our analyst found (CVE-2026-45738) carries the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N and therefore a 7.3. Place the two vectors side by side and you can see, metric by metric, what is missing for a 10.0.
| Metric | Argo CD (7.3) | Perfect 10.0 |
|---|---|---|
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | Low (write access to an Application) | None |
| User Interaction | Required (an admin must click the link) | None |
| Scope | Unchanged (stays within the application) | Changed |
| Confidentiality | High | High |
| Integrity | High | High |
| Availability | None (availability untouched) | High |
Four metrics separate the two findings. The XSS needs a low-privileged account with write access, it needs a click from the victim, it stays within the trust context of the application, and it costs no availability. Each one of these four properties pushes the score down. A 10.0 demands that none of them apply. This also makes clear why the 7.3 is conservative here: in a GitOps context, an application owner effectively escalates to full cluster access through the admin's click, which the base score alone does not capture. That is exactly what the temporal and environmental metrics are for.
How CVSS 4.0 Redraws the Perfect 10
With CVSS 4.0, FIRST rebuilt the scoring, and the familiar Scope metric disappeared in the process. In its place come separate impact metrics for the vulnerable system (VC, VI, VA) and for subsequent systems (SC, SI, SA). A 10.0 in 4.0 requires the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H, that is, all attack metrics at their easiest value and all six impact dimensions at High.
The underlying idea remains the same: a perfect 10 compromises both the directly vulnerable system and everything behind it. New additions are the Attack Requirements metric (AT), which has to sit at None for the maximum rating, and the finer separation of impact. The logic of the scope crossover now lives in the subsequent-system metrics. Here too, the CVSS 4.0 calculator by FIRST.org helps you follow the rating yourself.
Why a 10.0 Is Not the End of the Assessment
As definitive as the number looks, it measures the severity of a vulnerability, not the concrete risk in your environment. A 10.0 with no publicly available exploit, sitting in a tightly segmented internal network, can be operationally less urgent than an 8.1 at the internet edge for which a ready-made exploit kit has long been circulating. The CVSS 3.1 standard explicitly states that the base score should be supplemented by temporal and environmental metrics before it turns into a prioritization. The 10.0 is therefore an important signal, but the start of a risk assessment and not its conclusion.
Conclusion
A 10.0 is not a superlative for especially bad, but an exactly defined state: reachable from a distance, with no hurdle, without a victim's cooperation, and with total damage that reaches beyond its own component. The narrow line between 9.8 and 10.0 is decided in CVSS 3.1 by Scope alone, and in CVSS 4.0 by the impact on subsequent systems. Our own Argo CD flaw shows the reverse: how quickly four small constraints lead a finding away from the maximum rating. Anyone who wants to read scores in their own report correctly should therefore look not at the bare number, but at the vector behind it. That is where it says what the flaw can really do.