cvss v3 calculator

What is CVSS v3?

CVSS stands for Common Vulnerability Scoring System. It gives a standardized way to describe and score the severity of software vulnerabilities. The v3 family (especially v3.1) is widely used in vulnerability management, penetration testing reports, SIEM workflows, and patch prioritization.

A CVSS score helps security teams answer a simple question quickly: “How dangerous is this issue, and how urgently should we fix it?” The result is a number from 0.0 to 10.0 and a severity label such as Low, Medium, High, or Critical.

How this CVSS v3 calculator works

This tool calculates the Base Score from the eight Base Metrics:

• Attack Vector (AV)
• Attack Complexity (AC)
• Privileges Required (PR)
• User Interaction (UI)
• Scope (S)
• Confidentiality impact (C)
• Integrity impact (I)
• Availability impact (A)

It also outputs the full vector string (for example: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) so you can paste results directly into tickets or reports.

Base Metrics explained in plain English

Attack Vector (AV)

AV describes where the attacker has to be. Network means remote exploitation is possible over IP. Physical means hands-on access is required. Network vulnerabilities generally score higher because they are easier to reach at scale.

Attack Complexity (AC)

AC captures whether exploitation is straightforward or requires unusual conditions (timing, race conditions, special environment setup). Low complexity raises the score because exploitation is easier.

Privileges Required (PR)

PR reflects what level of account access is needed before an attacker can exploit the flaw. No privileges means anyone can attempt it; high privileges means the attacker already needs elevated rights.

User Interaction (UI)

UI indicates whether a victim must click, open, or otherwise assist the exploit path. Issues requiring user interaction typically score lower than zero-click vulnerabilities.

Scope (S)

Scope tells you whether exploitation stays inside the vulnerable component or crosses trust boundaries into another component. Changed scope can significantly increase severity because impact can spread across systems.

Confidentiality, Integrity, Availability (CIA)

These metrics represent technical impact:

• Confidentiality: exposure of sensitive data
• Integrity: unauthorized modification of data or logic
• Availability: service disruption or denial of service

How to use the score in real vulnerability management

CVSS is a strong starting point, but not the full story. In production security programs, teams combine CVSS with context:

• Whether exploit code is public
• Whether the vulnerable asset is internet-facing
• Business criticality of the affected system
• Compensating controls (WAF, segmentation, EDR)
• Observed attack activity in the wild

A Medium CVSS on a crown-jewel system can still require urgent action. Conversely, a High score on a non-production isolated host may be scheduled differently.

Severity bands (CVSS v3 Base Score)

• 0.0: None
• 0.1 – 3.9: Low
• 4.0 – 6.9: Medium
• 7.0 – 8.9: High
• 9.0 – 10.0: Critical

Quick scoring example

Suppose a vulnerability is remotely exploitable with no privileges or user interaction and causes high impact to confidentiality, integrity, and availability. Select AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H. You will get a near-maximum score, typically in the Critical range.

Final note

This calculator is built for CVSS v3.1 Base Score calculations and is great for triage, reporting, and consistency across teams. For mature risk decisions, pair it with threat intelligence and business impact analysis.