Calculate CVSS v3.1 vulnerability scores with Base, Temporal, and Environmental metrics. Generate vector strings and severity ratings. Free online calculator.
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the severity of software vulnerabilities. Maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a standardized numerical score from 0.0 to 10.0 that reflects the technical severity of a vulnerability, helping organizations prioritize remediation efforts.
CVSS is the de facto standard used by the National Vulnerability Database (NVD), vulnerability scanners like Nessus and Qualys, and compliance frameworks including PCI DSS and FedRAMP. Understanding how CVSS scores are calculated enables security teams to make informed patching decisions rather than treating every vulnerability as equally urgent.
CVSS 3.1 (the current widely-deployed version) calculates scores using three metric groups:
| Metric | Options | Measures |
|---|---|---|
| Attack Vector (AV) | Network, Adjacent, Local, Physical | How the attacker reaches the vulnerability |
| Attack Complexity (AC) | Low, High | Conditions beyond attacker control required for exploitation |
| Privileges Required (PR) | None, Low, High | Authentication level needed |
| User Interaction (UI) | None, Required | Whether a victim must take action |
| Scope (S) | Unchanged, Changed | Whether exploitation impacts resources beyond the vulnerable component |
| Confidentiality (C) | None, Low, High | Impact on information disclosure |
| Integrity (I) | None, Low, High | Impact on data modification |
| Availability (A) | None, Low, High | Impact on system accessibility |
| Score Range | Severity | Typical Response |
|---|---|---|
| 0.0 | None | No action needed |
| 0.1 - 3.9 | Low | Patch in next maintenance window |
| 4.0 - 6.9 | Medium | Patch within 30 days |
| 7.0 - 8.9 | High | Patch within 1-2 weeks |
| 9.0 - 10.0 | Critical | Immediate patching or mitigation |
CVSS (Common Vulnerability Scoring System) is an industry-standard framework for rating the severity of security vulnerabilities. It is important because it provides a consistent way for organizations to prioritize vulnerability remediation efforts based on the potential impact to confidentiality, integrity, and availability of systems.
The Base Score represents the intrinsic characteristics of a vulnerability that remain constant over time. The Temporal Score adjusts the Base Score based on factors that change over time, such as exploit availability and patch status. The Environmental Score further customizes the score based on your specific organizational security requirements and asset importance.
CVSS v3.1 uses five severity ratings: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). These ratings help security teams prioritize which vulnerabilities to address first, with Critical and High vulnerabilities typically requiring immediate attention.
Yes, this calculator generates a shareable URL that includes the complete CVSS vector string. You can copy this URL and share it with colleagues, security teams, or include it in vulnerability reports. The recipient will see the exact same metrics and scores when they open the link.
Attack Vector describes how a vulnerability can be exploited. Network (highest impact) means the attack can be launched remotely, Adjacent requires local network access, Local requires system access, and Physical requires physical device access. A Network attack vector typically results in higher scores because it allows remote exploitation without requiring proximity to the target.
The Scope metric indicates whether exploiting a vulnerability can affect resources beyond the vulnerable component. When Scope is Changed, the vulnerability can impact other components (like escaping a sandbox), which typically increases the overall score. When Unchanged, only the vulnerable component is affected.