Aaron Graves, PhDude (Replica)

Empowering people to reach their full potential

calculator cvss

Posted on February 16, 2026 by Admin

CVSS v3.1 Base Score Calculator

Choose the Base Metrics below to calculate CVSS score, severity rating, and vector string.

What is CVSS and why use a calculator?

CVSS (Common Vulnerability Scoring System) is a standardized framework for rating the severity of software vulnerabilities. Security teams use CVSS to prioritize remediation work, compare risks across products, and communicate impact to technical and non-technical stakeholders. A CVSS calculator helps turn metric selections into a reproducible numeric score and severity band.

How this CVSS calculator works

This page calculates the CVSS v3.1 Base Score using the official formula. The Base Score reflects intrinsic characteristics of a vulnerability that are constant over time and across user environments. After selecting each metric, the calculator returns:

  • Base Score from 0.0 to 10.0
  • Severity rating (None, Low, Medium, High, Critical)
  • Vector string in CVSS format for reports and tickets

CVSS Base Metrics explained

Exploitability metrics

These metrics estimate how easy it is for an attacker to exploit the vulnerability:

  • Attack Vector (AV): Network is generally most dangerous because exploitation can be remote.
  • Attack Complexity (AC): High complexity lowers score because exploitation needs special conditions.
  • Privileges Required (PR): Fewer required privileges increase risk.
  • User Interaction (UI): If no user action is needed, risk usually rises.

Impact metrics

These metrics measure the impact on a vulnerable component:

  • Confidentiality (C): Exposure of sensitive information.
  • Integrity (I): Unauthorized modification of data or systems.
  • Availability (A): Service disruption or complete outage.

Scope

Scope (S) determines whether exploitation stays within the same security authority (Unchanged) or affects resources beyond it (Changed). When scope is changed, the score formula adjusts and can increase severity.

Severity bands used by the calculator

  • None: 0.0
  • Low: 0.1 – 3.9
  • Medium: 4.0 – 6.9
  • High: 7.0 – 8.9
  • Critical: 9.0 – 10.0

Practical workflow for vulnerability management

CVSS should be one part of prioritization, not the only input. In real programs, teams combine CVSS with exploit intelligence, asset criticality, business context, and patch availability. A medium CVSS finding on an internet-facing identity system may be more urgent than a high CVSS finding on an isolated test server.

A practical approach is to calculate CVSS first, then apply an internal risk modifier for environmental context. This keeps your scoring consistent while still reflecting real-world exposure.

Example use case

Suppose a flaw is remotely exploitable over the network, requires no privileges, no user interaction, and can fully impact confidentiality, integrity, and availability. With scope unchanged, the resulting score is typically very high to critical. This indicates immediate triage and accelerated patching are warranted.

Final note

Use this calculator to standardize CVSS v3.1 scoring in tickets, advisories, and security reviews. For best results, document your metric choices clearly so auditors, engineers, and incident responders can reproduce the same score.

🔗 Related Calculators