// tool · cvss
CVSS Calculator — 2.0, 3.0, 3.1 and 4.0
Score a vulnerability in any CVSS version — 2.0, 3.0, 3.1 or 4.0. Pick the version, build the vector and get the score and severity instantly.
Runs 100% in your browser · nothing is sent
Optional metrics (Temporal / Environmental / Supplemental)
Optional metrics (Temporal / Environmental / Supplemental)
Optional metrics (Temporal / Environmental / Supplemental)
Optional metrics (Temporal / Environmental / Supplemental)
Computed per the official FIRST.org specifications. Runs 100% in your browser — nothing is sent anywhere.
// reference
What is CVSS
CVSS (Common Vulnerability Scoring System) is the open standard, maintained by FIRST, for measuring the severity of a vulnerability on a 0–10 scale. The vector is the string that records how each metric was rated (e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making the score reproducible and auditable.
Severity: None, Low, Medium, High and Critical
The numeric score maps to a qualitative band (valid for CVSS 3.0, 3.1 and 4.0):
| Severity | Score range |
|---|---|
| None | 0.0 |
| Low | 0.1 – 3.9 |
| Medium | 4.0 – 6.9 |
| High | 7.0 – 8.9 |
| Critical | 9.0 – 10.0 |
The base metrics
The base metrics describe intrinsic characteristics of the flaw that don't change over time or with the environment. In CVSS 3.1 there are eight:
- AV — Attack Vector: Where the attack comes from: network, adjacent, local or physical. The more remote, the higher the score.
- AC — Attack Complexity: Whether exploitation depends on conditions beyond the attacker's control. Low complexity weighs more.
- PR — Privileges Required: The privilege level the attacker needs before exploiting: none, low or high.
- UI — User Interaction: Whether the flaw requires a victim to do something (click, open) or fires on its own.
- S — Scope: Whether the flaw crosses the security boundary and affects resources beyond the vulnerable component.
- C — Confidentiality: How much confidentiality is compromised — none, partial or total.
- I — Integrity: How much of the data's integrity the attacker can alter.
- A — Availability: How much of the service's availability is affected (for example, denial of service).
Versions: 2.0, 3.0, 3.1 and 4.0
2.0 is legacy and rarely required today. 3.0 and 3.1 introduced Scope and are the most widely used standard. 4.0 (2023) is the newest: it replaces the Temporal group with Threat, separates impact on the vulnerable system from impact on subsequent systems, adds Attack Requirements (AT) and supplemental metrics like Safety. The calculator covers all four versions.
Frequently asked questions
What is CVSS?
CVSS (Common Vulnerability Scoring System) is the open standard, maintained by FIRST, for measuring the severity of a vulnerability on a 0–10 scale. The vector records how each metric was rated.
What's the difference between CVSS 3.1 and 4.0?
4.0 replaces the Temporal group with Threat, separates impact on the vulnerable system from impact on subsequent systems, adds Attack Requirements (AT) and supplemental metrics like Safety. In practice it describes real risk better.
How do I score a vulnerability with CVSS?
Pick the version, set each base metric (attack vector, complexity, privileges, interaction and impact on confidentiality, integrity and availability) and the score and severity appear instantly. Refine with temporal or environmental metrics if needed.
What do None, Low, Medium, High and Critical mean?
They are the qualitative score ranges: None 0.0, Low 0.1–3.9, Medium 4.0–6.9, High 7.0–8.9 and Critical 9.0–10.0. They apply to CVSS 3.0, 3.1 and 4.0.
Is my data sent to any server?
No. The calculation runs 100% in your browser, following the official FIRST.org specifications — nothing is sent anywhere.
Need a pentest that delivers reports with calibrated CVSS?
IntruderLabs runs offensive security under your brand, with white-label reporting and well-grounded severity — you resell, we execute.
Talk to us →