CVSS v3.1 Base Score Calculator
Use this calculator to estimate a CVSS v3.1 Base Score for a vulnerability. Select the metric values that best fit the issue, then calculate the score and vector string.
What is CVSS and why it matters
CVSS stands for Common Vulnerability Scoring System. It is a standardized way to measure how severe a software or infrastructure vulnerability is. Security teams use CVSS to prioritize patching, compare risks across systems, and communicate urgency to stakeholders.
A raw vulnerability description can be difficult to compare against dozens of other findings. CVSS solves this by turning technical properties into a numeric score from 0.0 to 10.0. That score maps to severity bands:
- None: 0.0
- Low: 0.1 – 3.9
- Medium: 4.0 – 6.9
- High: 7.0 – 8.9
- Critical: 9.0 – 10.0
CVSS v3.1 base metrics explained
The calculator above focuses on the Base Score, which represents intrinsic characteristics of a vulnerability that are expected to remain constant over time and across environments.
Exploitability metrics
- Attack Vector (AV): How close the attacker must be to exploit the issue. Network vulnerabilities are generally more severe.
- Attack Complexity (AC): Whether exploitation requires unusual conditions. Low complexity increases risk.
- Privileges Required (PR): Whether attacker credentials are needed before exploitation.
- User Interaction (UI): Whether another user must click, open, approve, or otherwise assist.
- Scope (S): Whether a successful exploit impacts only the vulnerable component or crosses a trust boundary.
Impact metrics
- Confidentiality (C): Data exposure risk.
- Integrity (I): Data or system modification risk.
- Availability (A): Service disruption risk.
How this CVSS calculator works
This page implements the official CVSS v3.1 base formula logic in JavaScript. It calculates:
- Exploitability Subscore based on AV, AC, PR, and UI.
- Impact Subscore based on Scope and CIA impacts.
- Final Base Score with CVSS round-up behavior to one decimal place.
- Vector String in standard format, such as
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
One important detail: the weight of Privileges Required changes depending on whether Scope is Unchanged or Changed. The calculator handles this automatically.
Practical scoring tips for analysts and developers
1) Score what is proven, not guessed
If a proof of concept shows only local exploitation, avoid assigning Network just because it feels possible. CVSS should represent demonstrated or credible characteristics.
2) Keep severity and business risk separate
CVSS describes technical severity, not business context. A Medium CVSS issue in your payment system could still be top priority, while a High issue in an isolated lab may wait.
3) Pair CVSS with asset criticality
For effective vulnerability management, combine CVSS score, exploit availability, internet exposure, and asset importance. A simple prioritization model often outperforms score-only triage.
4) Re-score after major new intelligence
If new exploit paths are discovered or assumptions were wrong, revisit the vector. Security operations is iterative; your scoring should be too.
Example scenario
Suppose a web service has an unauthenticated remote code execution flaw that requires no user action and can fully compromise data confidentiality, integrity, and availability. You might choose:
- AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H
That set produces a 9.8 Critical base score, which is a common value for severe remotely exploitable vulnerabilities.
Common mistakes when using CVSS
- Using CVSS as the only prioritization input.
- Confusing “Scope Changed” with “big impact.” Scope is about security authority boundaries, not simply size of damage.
- Overstating Attack Vector or understating Privileges Required to make findings seem more urgent.
- Ignoring assumptions and not documenting why each metric was chosen.