PriorityDescription
Not Vulnerable Packages which do not exist (DNE) in the archive, are not affected by the vulnerability or have a fix applied in the archive.
Pending A fix has been applied and updated packages are awaiting arrival into the archive. This often used when a package is received into -proposed for wider testing.
Unknown Open vulnerability where the priority is currently unknown and needs to be triaged.
Negligible Open vulnerability that is technically a security problem, but is only theoretical in nature, requires a very special situation, has almost no install base, or does no real damage. These tend not to get backported from upstream, and will likely not be included in security updates unless there is an easy fix and some other issue causes an update.
Low Open vulnerability that is a security problem, but is hard to exploit due to environment, requires a user-assisted attack, a small install base, or does very little damage. These tend to be included in security updates only when higher priority issues require an update, or if many low priority issues have built up.
Medium Open vulnerability that is a real security problem, and is exploitable for many people. Includes network daemon denial of service attacks, and gaining user privileges.
High Open vulnerability that is a real problem, exploitable for many people in a default installation. Includes serious remote denial of services, local root privilege escalations, or data loss.
Critical Open vulnerability that is a world-burning problem, exploitable for nearly all people in a default installation. Includes remote root privilege escalations, or massive data loss.

Note that these priority levels may differ from other published severity levels (like CVSS as used in the National Vulnerability Database). The priorities assigned to vulnerabilities in Ubuntu are for prioritizing the work of when CVEs will be fixed as opposed to just an assessment of importance or risk. The priority is based on several factors, including the risk, importance, install base, and any other factors which may lessen the impact of certain vulnerabilities such as specific proactive security features security features or uncommon configuration.