CVSS 3.1 Base Score Calculator

CYBERSECURITY CVSS VULNERABILITY RISK
Share:

CVSS 3.1 base score calculator — choose the eight base metrics (attack vector, complexity, privileges, user interaction, scope, and confidentiality/integrity/availability impact) to get the base score, severity rating and the canonical CVSS vector string. Runs entirely in your browser.

RT-SEC-007 · Cybersecurity Tools

CVSS 3.1 Base Score Calculator

CVSS v3.1 base score
Advertisement
After tool · AD-W1Responsive

How to Use the CVSS Calculator

Set exploitability

Pick attack vector, complexity, privileges and user interaction.

Set scope

Choose whether impact stays in the vulnerable component or spreads.

Set impact

Rate the confidentiality, integrity and availability impact.

Read & copy

See the score and severity, then copy the vector string.

Advertisement
After how-to · AD-W2Responsive

Scoring a Vulnerability the Standard Way

When a new vulnerability is found, the first question everyone asks is “how bad is it?” The Common Vulnerability Scoring System exists to answer that consistently. CVSS is an open, vendor-neutral standard that turns a set of qualitative judgements about a flaw into a single number from 0.0 to 10.0 and a matching severity label. This calculator implements the base-score portion of CVSS version 3.1 — the part that captures a vulnerability’s intrinsic characteristics, independent of any particular environment or moment in time — using the exact equations and metric weights from the official specification.

The base score is built from two halves. The exploitability side asks how reachable and how difficult the attack is: the Attack Vector (network, adjacent, local or physical), the Attack Complexity, the Privileges Required, and whether User Interaction is needed. The impact side asks what an attacker gains, rating the effect on Confidentiality, Integrity and Availability. Sitting between them is Scope, a subtle but important metric: if exploiting the flaw lets an attacker affect resources beyond the vulnerable component — escaping a sandbox or virtual machine, say — scope is Changed, and the score rises to reflect the larger blast radius. The tool combines these the way the standard prescribes, rounding up to one decimal place, and shows the exploitability and impact sub-scores so you can see what is driving the result.

Two outputs make CVSS practical. The severity rating — None, Low, Medium, High or Critical — gives teams an at-a-glance priority, and the colour of the result reflects it. The vector string, such as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, encodes every choice you made in a compact, reproducible form that anyone can paste into a tracker or report to recreate your exact assessment. It is worth remembering what the base score is not: it measures severity in isolation, not full risk. Real-world risk also depends on asset exposure, compensating controls, data value and the likelihood of attack — which is what the Temporal and Environmental metric groups, layered on top of the base, are designed to capture. Everything here is computed locally in your browser, so the details of whatever you are assessing never leave your device.

The base score tells you how severe a flaw is in the abstract — your environment decides how much it actually matters.

10 Facts About CVSS

01

CVSS is the open industry standard for scoring vulnerabilities.

02

Base scores run from 0.0 to 10.0.

03

Ratings: None, Low, Medium, High, Critical.

04

The base score combines exploitability and impact.

05

“Scope changed” means impact spreads beyond the vulnerable component.

06

v3.1 refined the wording, not the formula, of v3.0.

07

The vector string makes a score fully reproducible.

08

NVD publishes CVSS scores for known CVEs.

09

Base is constant; Temporal & Environmental adjust it.

10

This calculator runs in your browser — nothing is uploaded.

Frequently Asked Questions

  • The Common Vulnerability Scoring System is an open, vendor-neutral standard for rating the severity of software vulnerabilities. It produces a number from 0.0 to 10.0 and a matching severity label, so that teams everywhere can describe and compare risk in a consistent way. This tool implements the base-score portion of CVSS version 3.1.
  • They are Attack Vector (how remote the attacker can be), Attack Complexity (how hard the attack is to pull off), Privileges Required, User Interaction, Scope (whether impact spreads beyond the vulnerable component), and the Confidentiality, Integrity and Availability impacts. Together these capture how easily a flaw can be exploited and how bad the consequences are.
  • CVSS combines an exploitability sub-score (from attack vector, complexity, privileges and user interaction) with an impact sub-score (from the confidentiality, integrity and availability metrics). The two are combined and rounded up to one decimal place, with a small multiplier applied when scope is changed. This calculator uses the exact formula and metric weights from the official v3.1 specification.
  • Scope captures whether a vulnerability in one component can affect resources beyond its own security authority. If exploiting the flaw only impacts the vulnerable component, scope is Unchanged; if it lets an attacker affect other components — for example escaping a sandbox or virtual machine — scope is Changed, which raises the score because the blast radius is larger.
  • CVSS v3.1 maps scores to qualitative ratings: 0.0 is None, 0.1–3.9 is Low, 4.0–6.9 is Medium, 7.0–8.9 is High, and 9.0–10.0 is Critical. These bands help teams prioritise: a Critical finding typically demands urgent patching, while a Low finding can often be scheduled into routine maintenance.
  • The vector string, such as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, records every metric choice in a compact, standard format. Anyone who reads it can reproduce your exact score and see precisely how you assessed the vulnerability. It is the canonical way to share and document a CVSS rating, and you can copy it directly from this tool.
  • No. This calculator focuses on the Base score, which reflects the intrinsic characteristics of a vulnerability that do not change over time or across environments. Temporal metrics (such as exploit maturity) and Environmental metrics (which tailor the score to your specific deployment) adjust the base and are typically layered on afterward.
  • Not exactly. CVSS measures the severity of a vulnerability in isolation, which is an important input to risk but not the whole picture. Real risk also depends on how exposed the affected asset is, what compensating controls exist, the value of the data, and the likelihood of attack. Use CVSS to prioritise, then apply your own environmental context.
  • It implements the published CVSS v3.1 equations and metric weights exactly, and it reproduces the official reference vectors — for instance, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields 9.8. The scoring is deterministic, so identical metric selections always produce identical results, matching other compliant calculators.
  • No. All scoring runs locally in your browser. Nothing about the vulnerability you are assessing is transmitted, logged or stored, so the tool is safe to use for internal, undisclosed or sensitive findings.

Related News

You may be interested in these recent stories from our newsroom.

No related news yet for this tool. Our editorial team publishes new pieces every week.

Browse all news →
Advertisement
Pre-footer · AD-W3 728 × 90

75 more free tools

Calculators, converters, security tools — no signup.

Browse all tools → Latest news