MCPSafe
DocsScannerSeverity Levels

Severity Levels

Vulnerabilities are classified by severity based on CVSS scores and potential impact. Understanding these levels helps prioritize remediation efforts.

Security Grades

Security grades are calculated based on the highest severity vulnerability found.

A+
90-100
No vulnerabilities found
A
80-89
Only informational findings
B
70-79
Low severity issues only
C
50-69
Medium severity issues present
D
30-49
High severity vulnerabilities
F
0-29
Critical vulnerabilities found

Critical

CVSS 9.0 - 10.0
Reduces grade to F

Critical vulnerabilities represent the highest risk. They can be exploited immediately with minimal effort and typically lead to full system compromise, remote code execution, or complete data breach.

Potential Impact

  • Remote code execution
  • Full system compromise
  • Complete data breach
  • Credential theft at scale

Examples

  • Command injection via child_process.exec() with user input
  • eval() or Function() with untrusted data
  • Hardcoded database credentials or API keys
  • Unrestricted file upload allowing code execution

Remediation Priority: Address immediately. Critical vulnerabilities should be fixed before any deployment.

High

CVSS 7.0 - 8.9
Reduces grade to D or lower

High severity vulnerabilities pose significant security risks. While exploitation may require some conditions to be met, successful attacks can result in substantial damage.

Potential Impact

  • Unauthorized data access
  • Privilege escalation
  • Significant data manipulation
  • Partial system compromise

Examples

  • SQL injection allowing data extraction
  • Path traversal enabling file read/write
  • SSRF vulnerabilities to internal services
  • Insecure deserialization of untrusted data

Remediation Priority: Fix within days. High severity issues should be prioritized in the next development cycle.

Medium

CVSS 4.0 - 6.9
Reduces grade to C or lower

Medium severity vulnerabilities require specific conditions for exploitation but can still lead to security compromises under the right circumstances.

Potential Impact

  • Limited unauthorized access
  • Information disclosure
  • Denial of service potential
  • Data integrity issues

Examples

  • Weak cryptographic algorithms (MD5, SHA1 for passwords)
  • Missing input validation on non-critical fields
  • Verbose error messages exposing internal details
  • Insufficient rate limiting

Remediation Priority: Plan to fix within weeks. Medium severity issues should be addressed in regular maintenance.

Low

CVSS 0.1 - 3.9
May reduce to B

Low severity vulnerabilities have limited impact and require significant effort or unlikely conditions to exploit. They represent minor security concerns.

Potential Impact

  • Minor information leakage
  • Potential for future issues
  • Non-standard security practices
  • Limited availability impact

Examples

  • Debug code left in production
  • Deprecated but not vulnerable functions
  • Missing security headers (non-critical)
  • Overly permissive CORS configuration

Remediation Priority: Address when convenient. Low severity issues can be batched with other maintenance work.

Info

CVSS 0.0
No grade impact

Informational findings are recommendations and best practices that don't represent immediate security risks but could improve overall security posture.

Potential Impact

  • Code quality improvement
  • Security best practices
  • Future-proofing suggestions
  • Documentation recommendations

Examples

  • Suggestions to use TypeScript strict mode
  • Recommendations for security documentation
  • Suggestions for additional input validation
  • Performance-related security improvements

Remediation Priority: Consider implementing. Informational findings are optional improvements.