Skip to content

← All tools

CVSS Calculator

Score a vulnerability with CVSS v3.1 — pick the base metrics, get the score, severity band and canonical vector string instantly, add temporal metrics if you have them, and share the whole assessment as a link. Scoring runs the official FIRST formulas, locally in your browser.

New to this? Read the CVSS Calculator guide →

Base score

Pick all eight base metrics

Select a value for every base metric to score the vulnerability.

Base metrics

Temporal metrics (optional)

Paste an existing vector

Scoring follows the FIRST CVSS v3.1 specification. Everything runs locally in your browser — nothing is uploaded.

How to use the CVSS calculator

Click one value in each of the eight base-metric groups and the score, severity band and vector string update live. Optionally add the three temporal metrics (exploit maturity, remediation level, report confidence) to see the temporal score alongside the base score. Copy vector gives you the canonical string for a report or ticket; Copy link gives you this page with the vector pre-loaded — the score, shareable. Got a vector from an advisory? Paste it into the box at the bottom and Load vector reconstructs the whole assessment.

Choosing the base metrics honestly

Most scoring arguments are really definitions arguments, so anchor on the spec's intent. Attack Vector is about where the attacker can be: Network means remotely exploitable across the internet; Local means they need to run code or log in first. Attack Complexity is High only when success depends on conditions outside the attacker's control (a race to win, a target configuration they can't detect) — "it took me a while in the lab" is still Low. Privileges Required is judged before the attack, User Interaction asks whether a victim must do something (open the file, click the link). Scope is the subtle one: it flips to Changed when the exploited component's compromise crosses a security boundary into resources governed by a different authority — a hypervisor escape, a sandbox breakout, an XSS that runs in other users' browsers.

Impact: rate what the attacker gains, not what they touched

Confidentiality, Integrity and Availability describe the impact on the affected component: High means a total (or effectively total) loss — all data readable, arbitrary files writable, service fully down; Low means some access with no control over what or how much. A vulnerability that only leaks which software version is running is C:L, however embarrassing the bug. Rating every information disclosure C:H is the most common way scores drift upward until nobody trusts them.

What the bands mean (and don't)

0.1–3.9 is Low, 4.0–6.9 Medium, 7.0–8.9 High, 9.0–10.0 Critical. The famous 9.8 pattern — network-reachable, no privileges, no user interaction, full C/I/A impact — is the classic pre-auth remote code execution. But CVSS measures severity of the vulnerability, not risk to you: a 9.8 in software you don't expose may matter less than a 6.5 in your internet-facing login flow. Use the score to triage and communicate; use your environment to decide. (More on that distinction in the guide.)

Frequently asked questions

What is a CVSS score?

A 0–10 severity rating for a security vulnerability, computed from eight base metrics covering how exploitable the flaw is (attack vector, complexity, privileges, user interaction, scope) and what impact it has on confidentiality, integrity and availability. 9.0+ is Critical, 7.0–8.9 High, 4.0–6.9 Medium, 0.1–3.9 Low.

Which CVSS version does this calculator use?

CVSS v3.1, following the official FIRST.org specification formulas exactly, including the base and optional temporal metrics. It also parses CVSS:3.0 vectors, which share the same metrics.

What does the vector string mean?

The vector (e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) is the full assessment in compact form — each metric and the value chosen for it. Paste any vector into the tool to reconstruct and edit the assessment.

Is CVSS the same as risk?

No. CVSS rates the severity of the vulnerability in the abstract; risk depends on your exposure — whether the vulnerable system is reachable, what data it holds, and whether the flaw is being exploited in the wild. Use the score to triage and communicate, alongside context.

Related tools