cvss calculator 3.0 - Aaron Graves, PhDude Replica

CVSS v3.0 Base Score Calculator

Use the fields below to calculate a CVSS 3.0 Base Score, severity rating, and vector string.

Paste CVSS Vector (optional)

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

Note: In CVSS v3.0, Privileges Required (PR) values change depending on Scope (U or C).

Base Score: 0.0 None

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Impact: 0.00 | Exploitability: 0.00

What Is CVSS 3.0?

CVSS stands for Common Vulnerability Scoring System. Version 3.0 is a standardized framework used by security teams to score the technical severity of vulnerabilities. Instead of relying on guesswork, CVSS gives you a consistent method for comparing issues across applications, infrastructure, cloud services, and endpoints.

A CVSS Base Score ranges from 0.0 to 10.0. Higher scores generally indicate vulnerabilities that are easier to exploit and have more serious impact on confidentiality, integrity, or availability. Organizations use these scores for triage, patch prioritization, risk communication, and compliance reporting.

How This CVSS Calculator Works

This calculator focuses on the Base Metrics from CVSS v3.0. Base metrics are intended to represent the intrinsic characteristics of a vulnerability that do not change over time or across environments.

Base Metrics Included

Attack Vector (AV) – Where the attacker must be located (Network, Adjacent, Local, Physical).
Attack Complexity (AC) – Conditions beyond attacker control needed for exploitation.
Privileges Required (PR) – Level of access required before exploitation.
User Interaction (UI) – Whether another user must participate for exploitation to work.
Scope (S) – Whether exploitation stays in the same security scope or crosses boundaries.
Confidentiality (C) – Impact to data secrecy.
Integrity (I) – Impact to data trustworthiness.
Availability (A) – Impact to system uptime or service continuity.

Severity Ratings

After score calculation, the rating is mapped to standard CVSS qualitative bands:

None: 0.0
Low: 0.1 – 3.9
Medium: 4.0 – 6.9
High: 7.0 – 8.9
Critical: 9.0 – 10.0

Why CVSS v3.0 Still Matters

Although CVSS v3.1 refined wording and guidance, many tools, scanners, and internal workflows still reference v3.0 vectors. If your backlog or vulnerability management platform stores historical data in 3.0 format, a dedicated calculator is useful for validation and for explaining results to stakeholders.

Common Use Cases

Security triage in SOC and DevSecOps pipelines
Prioritizing patch windows based on technical severity
Communicating risk to engineering and leadership teams
Validating scanner output and custom vulnerability findings

Practical Guidance for Better Scoring

CVSS is strongest when used consistently. To improve scoring quality, define internal examples for each metric value and train analysts to use the same assumptions. Differences in interpretation can produce very different scores.

Document how your team interprets Adjacent vs Local attack vectors.
Review Scope carefully; it often changes final severity significantly.
Do not confuse business impact with CVSS technical impact.
Pair CVSS with exploit intelligence and asset criticality for final prioritization.

CVSS Is a Starting Point, Not the Whole Story

A CVSS 10.0 on an isolated lab host may be less urgent than a CVSS 7.5 on a public-facing production identity service. That is why mature programs combine CVSS with context such as internet exposure, compensating controls, active exploitation, and data sensitivity.

Use this calculator to establish a clear technical baseline, then layer in your organization’s real-world context to make high-quality remediation decisions.