Calculate CVSS v3.1 Base Score from attack vector, complexity, privileges, user interaction, scope, and CIA impact metrics.
The Common Vulnerability Scoring System (CVSS) v3.1 is the industry standard for rating the severity of security vulnerabilities. The Base Score ranges from 0.0 to 10.0 and is computed from eight metrics that capture how the vulnerability can be exploited (attack vector, complexity, privileges required, user interaction) and what impact it has (confidentiality, integrity, availability) within or beyond the vulnerable component's scope.
This calculator implements the full CVSS v3.1 Base Score algorithm. Select the appropriate value for each metric and instantly see the resulting score and severity rating (None, Low, Medium, High, Critical). It's useful for security analysts filing vulnerability reports, development teams triaging security bugs, and anyone who needs to understand or communicate vulnerability severity.
Precise measurement of this value supports informed infrastructure decisions and helps engineering teams optimize system architecture for both performance and cost efficiency. Quantifying this parameter enables systematic comparison across environments, deployments, and time periods, revealing optimization opportunities that improve both performance and cost-effectiveness.
CVSS scores are required for CVE submissions, vulnerability management prioritization, and compliance reporting. This calculator eliminates manual computation and ensures consistent scoring. The visual breakdown helps teams understand which factors contribute most to a vulnerability's severity. Consistent measurement creates a reliable baseline for tracking system health over time and identifying degradation before it impacts users or triggers costly production outages.
ISS = 1 − [(1 − C) × (1 − I) × (1 − A)]. Impact (Unchanged) = 6.42 × ISS. Impact (Changed) = 7.52 × [ISS − 0.029] − 3.25 × [ISS − 0.02]^15. Exploitability = 8.22 × AV × AC × PR × UI. Base = roundup(min(Impact + Exploitability, 10)).
Result: 9.8 Critical
A network-accessible vulnerability requiring no privileges, no user interaction, with low complexity and high impact across all three CIA pillars scores 9.8 (Critical). This represents a remotely exploitable, easy-to-exploit vulnerability with total system compromise — like a remote code execution with no authentication.
The eight base metrics are divided into Exploitability metrics (AV, AC, PR, UI) and Impact metrics (C, I, A), with Scope (S) bridging both. Each metric has defined values with specific numeric weights used in the score calculation.
Attack Vector (AV): Network (0.85), Adjacent (0.62), Local (0.55), Physical (0.20). Attack Complexity (AC): Low (0.77), High (0.44). Privileges Required (PR): None (0.85), Low (0.62/0.68), High (0.27/0.50). User Interaction (UI): None (0.85), Required (0.62).
Confidentiality, Integrity, and Availability: High (0.56), Low (0.22), None (0). These combine into the Impact Sub-Score using the ISS formula, which is then modified based on whether Scope is Changed or Unchanged.
CVSS doesn't consider exploit maturity, real-world prevalence, or organizational context. Supplement CVSS with EPSS (Exploit Prediction Scoring System), threat intelligence feeds, and asset criticality assessments for a complete risk picture.
None: 0.0. Low: 0.1–3.9. Medium: 4.0–6.9. High: 7.0–8.9. Critical: 9.0–10.0. These ratings help quickly communicate vulnerability urgency. Critical and High typically require immediate remediation.
Scope is Changed when a vulnerability in one component impacts resources beyond that component's security scope. For example, a VM escape vulnerability has Changed scope because the vulnerability in the VM impacts the host. This increases the overall score.
In CVSS v3.1, the Privileges Required metric has different weights depending on whether Scope is Changed or Unchanged. This reflects that privilege escalation across scope boundaries is more impactful.
No. CVSS Base Score measures theoretical severity in isolation. Effective prioritization also considers: exploit availability, whether the vulnerability is being actively exploited, asset criticality, and compensating controls. CVSS is one input to risk-based prioritization.
Confidentiality (C): data exposure risk. Integrity (I): data modification risk. Availability (A): service disruption risk. Each is rated None, Low, or High based on the impact if the vulnerability is exploited.
CVSS v4.0 (released 2023) adds more granular metrics including Attack Requirements, updated Scope handling via Vulnerable/Subsequent System impact, and Supplemental metrics. It aims to reduce scoring subjectivity and better reflect real-world risk.