cvss calculator 3.1

What Is CVSS 3.1?

CVSS (Common Vulnerability Scoring System) is a standardized framework for expressing how severe a software vulnerability is. Version 3.1 is still widely used by security teams, vulnerability scanners, and compliance programs to prioritize patching work. The score ranges from 0.0 to 10.0 and is accompanied by a vector that explains exactly how the score was derived.

This calculator focuses on the Base metrics in CVSS v3.1. Base metrics describe the intrinsic technical properties of the vulnerability that do not change over time or across environments. They are ideal for establishing a common severity baseline before business context is applied.

How to Use This CVSS Calculator 3.1

• Select values for the eight base metrics: AV, AC, PR, UI, S, C, I, and A.
• Click Calculate CVSS 3.1 (or change a metric and it recalculates automatically).
• Review the base score, severity band, and generated vector string.
• Copy the vector and include it in tickets, advisories, or vulnerability reports.

Metric Breakdown (Plain English)

Exploitability Metrics

These metrics answer: How hard is it for an attacker to exploit this?

• Attack Vector (AV): Can exploitation happen over the internet, adjacent network, local system, or only with physical access?
• Attack Complexity (AC): Does the exploit require special timing, race conditions, or unusual prerequisites?
• Privileges Required (PR): Must the attacker already have credentials?
• User Interaction (UI): Does a user need to click, open, or approve something?

Scope and Impact Metrics

These metrics answer: What happens if exploitation succeeds?

• Scope (S): Whether exploitation stays in the same security boundary (Unchanged) or crosses into another authority (Changed).
• Confidentiality (C): Degree of data exposure.
• Integrity (I): Degree of unauthorized data modification.
• Availability (A): Degree of service disruption.

CVSS 3.1 Severity Bands

• 0.0: None
• 0.1 – 3.9: Low
• 4.0 – 6.9: Medium
• 7.0 – 8.9: High
• 9.0 – 10.0: Critical

Sample Vectors and Practical Interpretation

Example 1: Remote Critical RCE

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This is a classic internet-reachable, no-auth, no-user-interaction vulnerability with complete impact. It should usually be treated as immediate patching priority, especially if exploit code exists publicly.

Example 2: Local Privilege Escalation

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Local vulnerabilities can still be high priority when they combine with phishing or initial foothold attacks. Context matters: endpoint exposure, hardening baseline, and attacker dwell time all influence urgency.

Best Practices for Vulnerability Prioritization

• Use CVSS as a consistent baseline, not as your only decision factor.
• Add context: internet exposure, asset criticality, compensating controls, exploit maturity, and active exploitation.
• Track vector changes over time if new technical details emerge.
• Document both score and rationale to improve triage consistency across teams.

Why Teams Still Rely on CVSS 3.1

Even as newer standards emerge, CVSS 3.1 remains deeply embedded in vulnerability feeds, scanner outputs, and governance tooling. Most organizations have operational workflows built around these scores, making accurate and transparent scoring extremely valuable.

Use this page as a practical scoring helper whenever you need to quickly compute a CVSS 3.1 base score, validate a vector, or explain severity in a way that developers, security engineers, and leadership can all understand.