CVSS Calculator (v3.1)

An expert tool for calculating Common Vulnerability Scoring System scores.

Base Score Metrics

These metrics represent the intrinsic qualities of a vulnerability.

What is a CVSS Calculator?

A cvss calculator is a tool designed to implement the Common Vulnerability Scoring System, a free and open industry standard for assessing the severity of computer system security vulnerabilities. This calculator helps cybersecurity professionals, developers, and IT managers to translate a set of qualitative vulnerability characteristics into a quantitative score, which helps in prioritizing responses and resources.

The score, ranging from 0.0 to 10.0, is derived from several metrics, including how easy it is to exploit the vulnerability and the potential impact on confidentiality, integrity, and availability. Our cvss calculator simplifies this process, allowing you to select metric values and instantly see the resulting Base Score, Impact Score, and overall severity rating. This standardized approach ensures a common language for describing vulnerability severity across different organizations and vendors.

The CVSS 3.1 Formula and Explanation

The CVSS v3.1 calculation is a multi-step process. It begins with the Base Score, which is a function of two sub-scores: the Impact Sub-Score (ISS) and the Exploitability Sub-Score. The final score is not a simple sum but a complex formula designed to weigh these factors appropriately. A key aspect is the ‘Scope’ metric; if a vulnerability in one component can affect other components (Scope: Changed), the potential impact is considered much higher.

Formula Components:

• Impact Sub-Score (ISS): This is calculated based on the impacts to Confidentiality (C), Integrity (I), and Availability (A). The formula is: `ISS = 1 – [ (1 – ImpactConf) × (1 – ImpactInteg) × (1 – ImpactAvail) ]`.
• Impact Score: If the Scope is Unchanged, this is `6.42 × ISS`. If Changed, the formula is more complex: `7.52 × (ISS – 0.029) – 3.25 × (ISS – 0.02)^15`.
• Exploitability Score: This is a product of the values for Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), and User Interaction (UI). The formula is `8.22 × AV × AC × PR × UI`.
• Base Score: This is the final step. If the Impact Score is 0, the Base Score is 0. Otherwise, it’s a rounded value based on the sum of the Impact and Exploitability scores, with a multiplier of 1.08 if the Scope has Changed. The result is capped at 10.0.

CVSS Base Score Variables

Variable	Meaning	Unit (Metric Type)	Typical Range (Values)
AV	Attack Vector	Categorical (Exploitability)	Network, Adjacent, Local, Physical
AC	Attack Complexity	Categorical (Exploitability)	Low, High
PR	Privileges Required	Categorical (Exploitability)	None, Low, High
UI	User Interaction	Categorical (Exploitability)	None, Required
S	Scope	Categorical (Modifier)	Unchanged, Changed
C, I, A	Confidentiality, Integrity, Availability	Categorical (Impact)	High, Low, None

Practical Examples

Example 1: Remotely Exploitable SQL Injection

Imagine a web application vulnerable to SQL injection through a public-facing form. An unauthenticated attacker can exploit it over the internet without any user interaction.

• Inputs: AV: Network, AC: Low, PR: None, UI: None, S: Unchanged, C: High, I: High, A: High
• Units: These are categorical metrics, not physical units.
• Results: This configuration results in a Base Score of 9.8 (Critical), indicating a very severe vulnerability that should be patched immediately. You can test this in the vulnerability scoring tool.

Example 2: Local Privilege Escalation

Consider a vulnerability in an operating system service that allows a logged-in user with low privileges to gain administrative (root) access. The exploit requires complex steps.

• Inputs: AV: Local, AC: High, PR: Low, UI: None, S: Changed, C: High, I: High, A: High
• Units: The metrics are categorical.
• Results: This scenario yields a Base Score of 7.8 (High). While serious, the requirement for local access and high complexity makes it less critical than the remote example. Find out more with this risk assessment calculator.

How to Use This CVSS Calculator

Using our cvss calculator is a straightforward process designed for both experts and newcomers. Follow these steps to determine the severity of a vulnerability accurately.

1. Select Base Metrics: Go through each dropdown in the “Base Score Metrics” section. Hovering over a metric can give you a hint. For each metric, like Attack Vector (AV) or Privileges Required (PR), choose the value that best describes the vulnerability.
2. Review the Scores: As you make selections, the calculator instantly updates the Base Score, Impact Score, Exploitability Score, and overall Severity rating (from Low to Critical).
3. Analyze the Vector String: The calculator generates a “Vector String” (e.g., CVSS:3.1/AV:N/AC:L…). This is a standardized, shareable text format that represents your selections. It’s essential for communicating the vulnerability details precisely.
4. Reset or Copy: Use the “Reset” button to clear all selections and start over. Use the “Copy Results” button to save the score, severity, and vector string to your clipboard for use in reports or tickets.

Key Factors That Affect a CVSS Score

The final score in a cvss calculator is sensitive to several key inputs. Understanding these factors is crucial for accurate assessment.

• Attack Vector (AV): A vulnerability exploitable over the ‘Network’ will always score higher than one requiring ‘Physical’ access. Remotely exploitable flaws are the most dangerous.
• Privileges Required (PR): If an attacker needs ‘None’ a priori privileges, the score increases significantly. Vulnerabilities that can be exploited by unauthenticated users are a major concern.
• Scope (S): This is a critical multiplier. A ‘Changed’ scope means the vulnerability allows an attacker to break out of the security authority of the vulnerable component and impact others, leading to a much higher score.
• Impact Metrics (C, I, A): A ‘High’ impact on Confidentiality, Integrity, AND Availability (the “CIA triad”) will result in the highest possible Impact Sub-Score. Even a ‘High’ impact on just one of these can be severe.
• Attack Complexity (AC): A ‘Low’ complexity means the exploit is easy and repeatable, which increases the score. ‘High’ complexity implies special conditions are needed, lowering the score.
• User Interaction (UI): If ‘None’ is required, the vulnerability can be exploited autonomously (e.g., by a worm), making it far more dangerous and thus increasing the score.

Frequently Asked Questions (FAQ)

1. What is the difference between CVSS v3.1 and v4.0?

CVSS v4.0 was introduced to provide a more granular and refined scoring system, adding new metrics like Attack Requirements (AT) and separating impact metrics for the vulnerable system and subsequent systems. This calculator uses v3.1, which is still the most widely adopted standard.

2. Is a high CVSS score always a high risk?

Not necessarily. CVSS measures technical severity, not risk. A high-severity vulnerability (e.g., 9.8) on an internal, air-gapped system might be a lower immediate risk than a medium-severity (e.g., 6.5) vulnerability on a public-facing, mission-critical server.

3. What does a “Scope Change” mean?

It means the exploit allows an attacker to affect resources beyond the security scope of the vulnerable component. For example, a vulnerability in a sandboxed application that allows the attacker to execute commands on the host operating system is a Scope Change.

4. How are the metric values (e.g., N, L, H) converted to numbers?

The CVSS standard assigns specific numeric weights to each categorical value. For example, for Attack Vector, N=0.85, A=0.62, L=0.55, and P=0.2. Our CVSS calculator uses these official weights in its formulas.

5. What is a CVSS vector string?

It’s a compact, textual representation of the selected metrics. It starts with “CVSS:3.1” and lists each metric’s abbreviation and chosen value (e.g., /AV:N/AC:L…). It allows anyone to see exactly how a score was derived.

6. Can I use this CVSS calculator for commercial reports?

Yes, the CVSS standard and this calculator are free to use. FIRST.org, which manages CVSS, requires that any published scores include the vector string to ensure transparency.

7. Why does the score sometimes jump significantly with one change?

The CVSS formula is non-linear. Certain combinations, especially changing Scope from Unchanged to Changed, or Privileges Required from Low to None, cross thresholds in the formula that result in large score increases.

8. What if a metric doesn’t apply?

The Base Metrics are designed to be universally applicable. If a certain impact like Confidentiality is not affected, you select ‘None’ (N). The CVSS framework does not have an “N/A” option for Base metrics.

Related Tools and Internal Resources

For a comprehensive approach to security, consider using these related tools and resources:

• Vulnerability Management Guide: Learn how to integrate CVSS scores into your patch management workflow.
• Threat Modeling Tool: Proactively identify and mitigate vulnerabilities before they appear.
• Security Incident Response Plan: Develop a plan for how to act when a high-severity vulnerability is discovered.
• Risk Assessment Framework: Use our framework to translate technical severity from the CVSS calculator into business risk.
• Secure Coding Guidelines: Find best practices to prevent common vulnerabilities in your software.
• Penetration Testing Services: Engage our experts to find and score vulnerabilities in your systems.