Explain CVSS base/temporal/environmental metrics and the key limitations of scoring with CVSS.

CVSS decomposes a score into three groups. Base captures intrinsic, constant traits (attack vector, complexity, privileges/interaction required, and CIA impact) — this is the number most people cite. Temporal (now 'Threat' in v4) adjusts for exploit maturity and remediation availability over time. Environmental lets you re-score for your context — exposure, compensating controls, and the value of the affected asset. Limitations: the base score is severity, not risk — it ignores exposure, exploitability in your environment, and business impact; it clusters many issues at 7–9 with little discrimination; and orgs often patch by base score alone. Always override with environmental context (and consider exploit-prediction signals like EPSS and CISA KEV) when prioritizing.