cvss calculator

CVSS v3.1 Base Score Calculator

Use this calculator to estimate the CVSS Base Score, severity rating, and vector string for a vulnerability.

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

Formula based on FIRST.org CVSS v3.1 Base metrics.

Base Score: 9.8

Severity: Critical

Exploitability Subscore: 3.9

Impact Subscore: 5.9

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What Is CVSS and Why It Matters

The Common Vulnerability Scoring System (CVSS) is a standardized method for rating the severity of software vulnerabilities. Security teams use CVSS to quickly understand technical risk and prioritize remediation work. Instead of relying on subjective language like “serious” or “minor,” CVSS provides a numerical score from 0.0 to 10.0, along with a severity label such as Low, Medium, High, or Critical.

A CVSS score does not replace business judgment, but it creates a common baseline across development, security, operations, and leadership teams. When incidents are competing for attention, a reliable scoring framework helps teams respond consistently and transparently.

CVSS v3.1 Base Metrics Explained

This calculator focuses on Base Metrics, which measure the intrinsic qualities of a vulnerability that do not change over time or environment.

Exploitability Metrics

Attack Vector (AV): How remotely the attack can be performed (Network is generally most severe).
Attack Complexity (AC): Whether exploitation requires special conditions.
Privileges Required (PR): The level of access an attacker needs before exploitation.
User Interaction (UI): Whether another user must take action for exploitation to succeed.

Impact Metrics

Confidentiality (C): Potential exposure of sensitive data.
Integrity (I): Potential unauthorized modification of data.
Availability (A): Potential disruption of service uptime or reliability.
Scope (S): Whether impact crosses a security boundary into another component.

How to Use This CVSS Calculator

Select values for each Base Metric according to vulnerability details.
Click Calculate Score.
Review the Base Score, Severity, subscores, and generated CVSS vector string.
Use the vector in tickets, advisories, or reports to preserve scoring transparency.

The generated vector makes your assessment auditable. If team members disagree with a score, they can inspect each selected metric and discuss assumptions directly rather than debating the final number alone.

Interpreting the Result

0.0 = None
0.1–3.9 = Low
4.0–6.9 = Medium
7.0–8.9 = High
9.0–10.0 = Critical

In practice, many teams treat High and Critical issues as fast-track remediation items. However, prioritize with context: internet exposure, exploit availability, asset sensitivity, and compensating controls should all influence real-world urgency.

Common Mistakes to Avoid

Scoring from incomplete technical details (especially Scope and Privileges Required).
Using CVSS alone to define patch deadlines without considering business impact.
Ignoring vector strings, making later review and audit harder.
Confusing CVSS v3.1 assumptions with older scoring guidance.

Best Practice: Combine CVSS with Operational Risk

CVSS is strongest when combined with environment-specific signals. Consider adding exploit intelligence, threat actor activity, internet-facing status, and asset criticality for final prioritization. A Medium CVSS issue on a crown-jewel system may deserve immediate action, while a High CVSS issue on an isolated lab host might be lower urgency.