nist cvss calculator - Aaron Graves, PhDude Replica

CVSS v3.1 Base Score Calculator

Use this tool to estimate a CVSS base score similar to the NIST NVD calculator workflow.

Paste CVSS Vector (optional)

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

This calculator estimates the Base Score for CVSS v3.1.

Base Score: 9.8

Severity: Critical

Exploitability Subscore: 3.9

Impact Subscore: 5.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What is the NIST CVSS calculator?

The NIST National Vulnerability Database (NVD) uses CVSS (Common Vulnerability Scoring System) to provide a standardized way to measure vulnerability severity. A CVSS score helps security teams quickly compare issues, prioritize remediation, and communicate risk in a consistent language.

This page gives you a practical, browser-based calculator for CVSS v3.1 Base metrics. While this is not an official NVD page, it follows the same scoring logic used in published CVSS vectors and can be useful for triage, reporting, and training.

How this CVSS calculator works

CVSS v3.1 Base scoring combines exploitability and impact into a score from 0.0 to 10.0. You select one value for each base metric, and the algorithm calculates the final score and severity band.

Base metrics included

Attack Vector (AV): How remotely an attacker can reach the vulnerable component.
Attack Complexity (AC): Whether special conditions are required for exploitation.
Privileges Required (PR): Level of privileges an attacker needs before exploitation.
User Interaction (UI): Whether a victim must do something (click/open/approve).
Scope (S): Whether exploitation impacts only the vulnerable component or crosses trust boundaries.
Confidentiality (C), Integrity (I), Availability (A): The technical impact on the CIA triad.

Severity mapping

None: 0.0
Low: 0.1–3.9
Medium: 4.0–6.9
High: 7.0–8.9
Critical: 9.0–10.0

Example: interpreting a common vector

A vector like CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H usually represents a remotely exploitable issue with high impact and no required privileges or user interaction. This often produces a very high score, typically in the Critical range.

However, context still matters. A high CVSS score does not always mean immediate internet-wide exploitability in your exact environment. Use asset criticality, exposure, exploit maturity, and compensating controls to refine priority.

Best practices for vulnerability prioritization

Use CVSS as a baseline, then layer in business context and threat intelligence.
Prioritize externally exposed systems with known active exploitation first.
Track exceptions and compensating controls transparently.
Reassess scores when architecture, privileges, or deployment patterns change.
Standardize your scoring process so teams can compare vulnerabilities consistently.

Quick FAQ

Is this the official NIST calculator?

No. This page is a replica-style educational tool that implements CVSS v3.1 Base formula logic in a single HTML file.

Can I paste a CVSS vector directly?

Yes. Use the vector input and click Parse Vector to populate the form automatically, then calculate.

Does this include temporal or environmental metrics?

No, this version focuses on Base scoring. For full risk decisions, include environmental context and real-world exploit information.