Want to learn more?
Understand how CVSS severity scores are calculated and used to prioritize vulnerability remediation.
Read the guideVector String
Base Score - Exploitability Metrics
Base Score - Impact Metrics
Prioritizing Vulnerabilities Without Context?
Our vulnerability management service provides risk-based prioritization tailored to your environment.
What Is CVSS
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the severity of software vulnerabilities. Maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a standardized numerical score from 0.0 to 10.0 that reflects the technical severity of a vulnerability, helping organizations prioritize remediation efforts.
CVSS is the de facto standard used by the National Vulnerability Database (NVD), vulnerability scanners like Nessus and Qualys, and compliance frameworks including PCI DSS and FedRAMP. Understanding how CVSS scores are calculated enables security teams to make informed patching decisions rather than treating every vulnerability as equally urgent.
How CVSS Scoring Works
CVSS 3.1 (the current widely-deployed version) calculates scores using three metric groups:
Base Score Metrics
| Metric | Options | Measures |
|---|---|---|
| Attack Vector (AV) | Network, Adjacent, Local, Physical | How the attacker reaches the vulnerability |
| Attack Complexity (AC) | Low, High | Conditions beyond attacker control required for exploitation |
| Privileges Required (PR) | None, Low, High | Authentication level needed |
| User Interaction (UI) | None, Required | Whether a victim must take action |
| Scope (S) | Unchanged, Changed | Whether exploitation impacts resources beyond the vulnerable component |
| Confidentiality (C) | None, Low, High | Impact on information disclosure |
| Integrity (I) | None, Low, High | Impact on data modification |
| Availability (A) | None, Low, High | Impact on system accessibility |
Severity Ratings
| Score Range | Severity | Typical Response |
|---|---|---|
| 0.0 | None | No action needed |
| 0.1 - 3.9 | Low | Patch in next maintenance window |
| 4.0 - 6.9 | Medium | Patch within 30 days |
| 7.0 - 8.9 | High | Patch within 1-2 weeks |
| 9.0 - 10.0 | Critical | Immediate patching or mitigation |
Common Use Cases
- Vulnerability prioritization: Rank hundreds of scanner findings by CVSS score to focus remediation on the most severe issues first
- SLA definition: Establish patching timelines tied to CVSS severity levels in your vulnerability management policy
- Risk communication: Translate technical vulnerability details into a standardized score that non-technical stakeholders can understand
- Compliance evidence: PCI DSS Requirement 6.1 requires ranking vulnerabilities by risk — CVSS provides the recognized methodology
- Vendor comparisons: Evaluate the security track record of third-party software by analyzing historical CVSS distributions
Best Practices
- Use Environmental metrics for context — The Base Score reflects generic severity. Use the Environmental metric group to adjust scores based on your specific deployment: a network-accessible vulnerability in an air-gapped system is less critical than the base score suggests.
- Don't ignore Medium-severity findings — Organizations that only patch Critical and High CVEs accumulate a growing attack surface of exploitable Medium vulnerabilities. Address these within defined SLAs.
- Combine CVSS with exploit intelligence — A CVSS 7.5 vulnerability with a public Metasploit module poses more immediate risk than a CVSS 9.0 with no known exploit. Cross-reference with CISA KEV, Exploit-DB, and threat intelligence feeds.
- Understand CVSS 4.0 changes — CVSS 4.0 introduces granular attack requirements, updated environmental metrics, and supplemental metrics for automatable attacks and recovery. Plan your transition from 3.1 to 4.0.
- Document your scoring rationale — When you adjust scores using Temporal or Environmental metrics, record why. Auditors and future analysts need to understand your risk acceptance decisions.
Frequently Asked Questions
Common questions about the CVSS Calculator
CVSS (Common Vulnerability Scoring System) is an industry-standard framework for rating the severity of security vulnerabilities. It is important because it provides a consistent way for organizations to prioritize vulnerability remediation efforts based on the potential impact to confidentiality, integrity, and availability of systems.
The Base Score represents the intrinsic characteristics of a vulnerability that remain constant over time. The Temporal Score adjusts the Base Score based on factors that change over time, such as exploit availability and patch status. The Environmental Score further customizes the score based on your specific organizational security requirements and asset importance.
CVSS v3.1 uses five severity ratings: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). These ratings help security teams prioritize which vulnerabilities to address first, with Critical and High vulnerabilities typically requiring immediate attention.
Yes, this calculator generates a shareable URL that includes the complete CVSS vector string. You can copy this URL and share it with colleagues, security teams, or include it in vulnerability reports. The recipient will see the exact same metrics and scores when they open the link.
Attack Vector describes how a vulnerability can be exploited. Network (highest impact) means the attack can be launched remotely, Adjacent requires local network access, Local requires system access, and Physical requires physical device access. A Network attack vector typically results in higher scores because it allows remote exploitation without requiring proximity to the target.
The Scope metric indicates whether exploiting a vulnerability can affect resources beyond the vulnerable component. When Scope is Changed, the vulnerability can impact other components (like escaping a sandbox), which typically increases the overall score. When Unchanged, only the vulnerable component is affected.
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.