Aaron Graves, PhDude (Replica)

Empowering people to reach their full potential

cvss score calculator

Posted on February 16, 2026 by Admin

CVSS v3.1 Base Score Calculator

Use this tool to calculate a CVSS v3.1 Base Score and vector string for vulnerabilities.

How remotely an attacker can reach the vulnerable component.
Conditions beyond attacker control required to exploit.
Access level needed before exploitation.
Whether another user must participate.
Does exploitation impact components beyond the vulnerable one?
Potential exposure of sensitive information.
Potential unauthorized data modification.
Potential disruption of service availability.

What this CVSS score calculator does

This page helps security teams, developers, and analysts calculate a CVSS v3.1 Base Score quickly. CVSS (Common Vulnerability Scoring System) is the industry standard for expressing vulnerability severity in a repeatable way. Instead of saying “this bug looks bad,” you can use a score and vector to communicate risk consistently.

How to use the calculator

  • Select all base metrics: AV, AC, PR, UI, Scope, Confidentiality, Integrity, and Availability.
  • Click Calculate CVSS Score.
  • Review the base score, severity level, and generated vector string.
  • Copy the vector for tickets, reports, or vulnerability advisories.

The result updates from official CVSS v3.1 base equations, including Scope-dependent treatment of Privileges Required and final round-up behavior.

CVSS metric breakdown

Exploitability Metrics

  • Attack Vector (AV): Network attacks are typically more severe than physical-only attacks.
  • Attack Complexity (AC): Low complexity means fewer constraints and generally higher risk.
  • Privileges Required (PR): If no privileges are needed, impact is usually greater.
  • User Interaction (UI): Requiring user action lowers exploitability.

Impact Metrics

  • Confidentiality (C): Data disclosure impact.
  • Integrity (I): Data tampering impact.
  • Availability (A): Service disruption impact.
  • Scope (S): Whether exploitation crosses trust boundaries.

Interpreting the score

Severity bands commonly used with CVSS v3.1:

  • 0.0: None
  • 0.1 – 3.9: Low
  • 4.0 – 6.9: Medium
  • 7.0 – 8.9: High
  • 9.0 – 10.0: Critical

Remember: CVSS is a severity model, not a complete business risk model. You should still consider asset value, threat intelligence, exploit maturity, and compensating controls before prioritizing remediation.

Best practices for vulnerability prioritization

1) Pair CVSS with context

A medium score on an internet-facing authentication service can be more urgent than a high score on an isolated internal lab machine. Combine score + exposure + business criticality.

2) Track the vector, not only the number

Two vulnerabilities can share the same numeric score but differ in exploit path. The vector string explains why the score is what it is. Keep it in your ticketing system to support clear triage decisions.

3) Reassess over time

As system architecture changes, risk changes too. Recalculate when new integrations, permissions, or deployment patterns alter attack surface.

Frequently asked questions

Is this CVSS v3.1 or v4.0?

This calculator implements CVSS v3.1 Base Score. If your organization has adopted CVSS v4.0, use a dedicated v4 tool.

Does this include Temporal or Environmental metrics?

No. This page calculates only the Base Score, which is useful for standardized severity reporting.

🔗 Related Calculators