Severity levels
A severity level is applied to a vulnerability, to indicate the risk for that vulnerability in an application. Severity levels are key factors in vulnerability assessment, and can be:
  • Low: the application may expose some data allowing vulnerability mapping, which can be used with other vulnerabilities to attack the application.
  • Medium: may allow attackers under some conditions to access sensitive data on your application.
  • High: may allow attackers to access sensitive data on your application.
  • Critical: may allow attackers to access sensitive data and run code on your application.
Severity levels also apply to license issues. See Licenses overview.

Determining severity levels

The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.
At Snyk, we use CVSS framework version 3.1 to communicate the characteristics and severity of vulnerabilities.
Severity level
CVSS score
0.0 - 3.9
4.0 - 6.9
7.0 - 8.9
9.0 - 10.10
Severity levels may not always align to CVSS scores. For example, Snyk Container severity scores for Linux vulnerabilities may vary depending on NVD severity rankings; see Understanding Linux vulnerability severity for more details.

Severity and priority scoring

Severity levels are one factor feeding into Snyk's Priority Score for each vulnerability, along with factors such as Snyk’s Exploit Maturity and Reachable Vulnerabilities information. Together, this scoring helps developers determine which vulnerabilities should be addressed first.
See Snyk Priority Score for details of how severity levels are used in Snyk's priority scores.

Viewing severity levels in Snyk

Severity levels are displayed throughout Snyk, to show this information at all times.
For example, in the initial dashboard:
For your projects:
And for each vulnerability in a project:
See Getting started documentation for more details of using Snyk.