This calculator computes the CVSS v3.1 Base Score using the official formula published by FIRST.org (the Forum of Incident Response and Security Teams), the organization that maintains the CVSS standard. Select each of the 8 base metrics to get the base score, severity rating, and the standard vector string used to record and share the score.
CVSS v3.1's Base Score is built from two metric groups. Exploitability metrics describe how the vulnerability is exploited: Attack Vector (AV) — whether the attacker needs network access, adjacent network access, local access, or physical access; Attack Complexity (AC) — whether exploitation requires special conditions beyond attacker control; Privileges Required (PR) — what level of access the attacker needs before the attack; User Interaction (UI) — whether a victim must take some action for the exploit to succeed; and Scope (S) — whether the vulnerability can impact resources beyond its own security scope (e.g., a bug in one component that lets an attacker affect an entirely different component). Impact metrics describe the consequence if exploited: Confidentiality (C), Integrity (I), and Availability (A), each rated None, Low, or High.
The Impact Sub-Score (ISS) combines the three CIA impacts: ISS = 1 − [(1−C)×(1−I)×(1−A)], reflecting that impacts partially overlap rather than simply summing. If Scope is Unchanged, Impact = 6.42 × ISS; if Scope is Changed, a different formula (7.52×(ISS−0.029) − 3.25×(ISS−0.02)¹⁵) applies extra weight because the vulnerability affects components beyond its own security authority. The Exploitability Sub-Score multiplies the four exploitability metric values together with a constant: Exploitability = 8.22 × AV × AC × PR × UI (with PR's numeric value itself depending on whether Scope changed). The Base Score is then Impact + Exploitability, capped at 10 and rounded up to one decimal place — with an extra ×1.08 multiplier applied when Scope is Changed.
This calculator computes only the CVSS Base Score, which reflects the intrinsic, constant characteristics of a vulnerability — it's what gets published for a CVE. CVSS also defines optional Temporal metrics (which account for whether a working exploit exists, whether a fix is available, and confidence in the report — these change over the vulnerability's lifecycle) and Environmental metrics (which let an organization adjust the score for its own specific deployment context, security requirements, and compensating controls). A full CVSS assessment for internal risk prioritization should layer temporal and environmental metrics on top of the base score rather than treating the base score alone as the final word on how urgently to respond to a specific vulnerability in your environment.
Select each of the 8 base metric values based on the vulnerability's actual characteristics — most published CVEs already include an official CVSS vector string (e.g. in the NVD database entry) that you can reproduce here to verify the score, or use this tool to score a vulnerability you've found yourself before it has an assigned score. The vector string shown at the bottom is the standard machine-readable format for recording and sharing a CVSS score — most vulnerability management and SIEM tools accept it directly.
Scope reflects whether a vulnerability in one security authority (say, a guest VM) can be used to impact resources under a different security authority (say, the host system or another VM) — this is considered a more severe finding than a vulnerability contained entirely within its own scope, because it breaks a security boundary the system was relying on. CVSS v3.1 encodes this by both increasing the Impact formula's weighting and applying an additional 1.08× multiplier to the final combined score when Scope is Changed, which is why the same underlying CIA impacts score noticeably higher with Scope Changed than Unchanged.
Attack Complexity (AC) describes conditions outside the attacker's control that must exist for the attack to succeed — things like needing to win a race condition, needing specific non-default configuration, or needing to gather information about the target through some separate reconnaissance step. Privileges Required (PR) describes what level of access the attacker must already have on the vulnerable system before launching the attack — none, a regular user account, or administrative access. A vulnerability can be Low complexity but still require High privileges (e.g., a straightforward local privilege-escalation bug that any authenticated user can trigger), so these two metrics are independent, not two versions of the same idea.
If your inputs exactly match the published vector string, the score should match exactly — this calculator implements the official FIRST.org formula precisely, including the specific rounding-up-to-one-decimal rule. Mismatches usually mean either a metric was selected differently than the official assessment (double-check each of the 8 values against the CVE's published vector string), or the CVE was scored under an earlier CVSS version (v2.0 or v3.0) with different metric definitions and formulas than v3.1 — always confirm which CVSS version a published score uses before comparing.
Base Score alone is a reasonable starting filter but is deliberately context-free — it doesn't know whether a working exploit exists in the wild (a Temporal metric), or whether the vulnerable system is internet-facing versus air-gapped in your specific environment (an Environmental metric). Many vulnerability management programs combine CVSS Base Score with threat-intelligence signals like EPSS (Exploit Prediction Scoring System) or known-exploited-vulnerability lists, plus their own environmental context, rather than patching purely in CVSS Base Score order — a "only" 6.5-scored vulnerability being actively exploited in the wild against your exact exposed configuration is often a higher real-world priority than an unexploited 9.0.
The "Vulnerability Management for Engineers: CVE, CVSS, and Patch Lifecycle" article covers the broader process CVSS scoring fits into — how CVEs get assigned, how organizations track and prioritize them, and the typical patch lifecycle from disclosure to remediation. This calculator is the hands-on companion for the CVSS-scoring piece of that process specifically — use the article for the process context and this tool when you need to actually compute or verify a specific score.
Try our Cybersecurity Studio
More calculators, simulators, and guides for this discipline.