cvss 3.0 calculator

What is CVSS 3.0?

CVSS (Common Vulnerability Scoring System) is a standardized way to describe the severity of software vulnerabilities. Version 3.0 introduced more precise scoring compared to older models and became widely used across vulnerability databases, security scanners, and incident response programs.

The score ranges from 0.0 to 10.0 and helps teams answer a practical question: How urgently should we fix this issue?

How this CVSS 3.0 calculator works

This page calculates the Base Score, which represents the intrinsic severity of a vulnerability assuming no specific environmental context. You select values for eight Base Metrics:

• Exploitability Metrics: AV, AC, PR, UI
• Scope: S
• Impact Metrics: C, I, A

The calculator then computes:

• Impact Subscore
• Exploitability Subscore
• Final Base Score (rounded up to one decimal place)
• Severity rating and vector string

Metric breakdown (quick reference)

Attack Vector (AV)

Describes how remotely an attacker can exploit the vulnerability. Network means reachable over a network, while Physical requires direct device access.

Attack Complexity (AC)

Captures special conditions needed for exploitation. Low means straightforward; High means unusual setup or timing is required.

Privileges Required (PR)

Indicates what level of access the attacker already needs before exploitation. Higher required privileges generally reduce severity.

User Interaction (UI)

Specifies whether another user must do something (for example, open a malicious file or click a link).

Scope (S)

Scope is Unchanged when the vulnerable component and impacted component share the same authority boundary. It is Changed when exploitation breaks into a different boundary, often increasing severity.

Confidentiality, Integrity, Availability (C/I/A)

These three metrics estimate business impact:

• Confidentiality: unauthorized data disclosure
• Integrity: unauthorized data/system modification
• Availability: service interruption or resource exhaustion

Severity bands

• None: 0.0
• Low: 0.1 – 3.9
• Medium: 4.0 – 6.9
• High: 7.0 – 8.9
• Critical: 9.0 – 10.0

Practical tips for security teams

• Use CVSS as a starting point, not the only prioritization signal.
• Combine score with exploit availability, asset criticality, and exposure.
• Track vector strings in tickets so analysts can validate assumptions later.
• Reassess scores when architecture changes (especially network exposure and scope boundaries).

Limitations to keep in mind

CVSS Base Score does not include your unique environment. A medium-scored flaw on an internet-facing identity server can be more urgent than a high-scored flaw on an isolated lab endpoint. Mature programs blend CVSS with operational context, business risk, and threat intelligence.

Conclusion

A consistent scoring method improves communication between engineers, security, and leadership. Use this CVSS 3.0 calculator to quickly generate reliable scores and vectors, then layer in real-world context to make smart remediation decisions.