CVSS Calculator — CVSS v3.1 Base Score & Vector

Base scores capture intrinsic vulnerability characteristics assuming reasonable exploit conditions. They enable sorting among thousands of findings — patch Critical network-routable vulnerabilities before Medium local issues when resources constrain.

Our calculator implements base metric mathematics client-side for transparency. Adjust one metric and watch score move — building intuition analysts need when vendor vectors look surprising.

Attack Vector (AV) scales from Physical — attacker touches device — through Local, Adjacent Network, to Network — remote exploitation. Attack Complexity (AC) Low means repeatable exploitation; High means conditions beyond attacker control. Privileges Required (PR) None means unauthenticated; Low and High require increasing existing access. User Interaction (UI) None means victimless exploitation; Required means a user must click or open something.

These four metrics combine into exploitability subscore weighted against impact. Remote unauthenticated bugs score higher than local authenticated flaws — holding other factors equal.

Scope Changed (S:C) applies when exploitation impacts components beyond the vulnerable component's security authority — sandbox escapes, VM guest-to-host, etc. Scope Unchanged (S:U) keeps impact within the same authority boundary. Confidentiality, Integrity, and Availability impacts rate None, Low, or High for data disclosure, modification, and service disruption respectively.

High CIA triad with Network AV and Scope Changed often reaches Critical band — nine to ten base score.

Score zero maps to None severity. Zero point one through three point nine is Low. Four through six point nine is Medium. Seven through eight point nine is High. Nine through ten is Critical. Labels align with common CVSS v3 reporting bands used in PCI and enterprise SLA frameworks.

Organizations may override labels with risk acceptance policies — calculator output is standardized starting point.

Generated vectors follow CVSS:3.1/AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X canonical ordering. Copy into tickets, advisories, and scanner configuration when documenting assumed metrics for hypothetical scenarios or variant analyses.

Compare calculator vector against cve-lookup results to verify vendor scoring consistency.

Vulnerability triage sometimes explores draft or embargoed scenario metrics unsuitable for server logging. Client-side calculation ensures selected metrics never transmit to our infrastructure — only your browser performs arithmetic.

Refresh clears state unless you bookmark or copy results — intentional for sensitive workflows.

Environmental metrics tailor scores to your asset exposure — internet-facing versus internal, security control mitigations. Temporal metrics incorporate exploit maturity and remediation level. This tool stops at base — add environmental adjustments manually in GRC platforms.

Do not compare base scores across teams applying different environmental profiles without normalization.

Security champions learning CVSS use calculator during onboarding exercises — toggling UI:R drops many web XSS findings from Critical to Medium bands. Patch advisory committees reproduce vendor vectors before approving emergency change windows.

Educators demonstrate metric sensitivity without spreadsheet errors.

cve-lookup fetches published scores for real CVE IDs. cvss-calculator explores metric space interactively. Together they connect authoritative records with hands-on metric understanding.

When scores diverge, verify scope and UI selections — vendors occasionally correct vectors post-publication.

Rounding to one decimal follows common display conventions. Floating edge cases at band boundaries may differ by zero point one from specific NVD rounding implementations.

Calculator does not validate metric combinations rejected by specification — all UI selections compute mathematically.