1. Home
  2. AI Tools
  3. CVSS Calculator
CVSS v3.1 Calculator
0.0 CVSS v3.1
None
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Base Score
0.0
Impact Score
0.0
Exploitability
0.0
Temporal Score
N/A
Env. Score
N/A
Exploitability Metrics
Attack Vector (AV) ?
Attack Complexity (AC) ?
Privileges Required (PR) ?
User Interaction (UI) ?
Scope & Impact Metrics
Scope (S) ?
Confidentiality (C) ?
Integrity (I) ?
Availability (A) ?

Why SeoWebChecker

Built for Security Professionals

Everything you need to accurately score vulnerabilities and communicate risk to your team and stakeholders.

CVSS v3.1 Compliant

Implements the complete CVSS v3.1 specification as defined by FIRST, ensuring your scores align with industry standards and NVD.

Real-Time Calculation

Scores update instantly as you select metrics — no submit button required. See the impact of each metric choice in real time.

Temporal & Environmental

Go beyond the Base Score with Temporal adjustments based on exploit availability and Environmental scores tailored to your organization.

Copy Vector String

One-click copy of the full CVSS vector string in standard format — ready to paste into vulnerability reports, tickets, and CVE entries.

Download JSON Report

Export a structured JSON report of all metrics, scores, and severity ratings — perfect for automated pipelines and security dashboards.

Detailed Tooltips

Every metric includes a contextual help tooltip explaining what it measures and how to choose the right value — ideal for teams learning CVSS.

Process

How to Use the CVSS Calculator

Score any vulnerability in four simple steps using the FIRST-compliant methodology.

Select Base Metrics

Choose values for all six Base metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and three Impact categories.

Review Base Score

See your Base Score, severity rating, and Impact/Exploitability sub-scores update instantly. The CVSS vector string is generated automatically.

Refine with Temporal

Optionally adjust with Temporal metrics — Exploit Code Maturity, Remediation Level, and Report Confidence — to reflect the real-world exploit landscape.

Export Your Results

Copy the vector string or download a full JSON report. Share scores with your team, integrate with ticketing systems, or include in vulnerability advisories.

Knowledge Base

Understanding CVSS: The Complete Guide

What Is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is an open, industry-standard framework developed and maintained by FIRST (Forum of Incident Response and Security Teams). It provides a universal language for describing the characteristics and severity of software vulnerabilities, enabling security teams, vendors, and organizations to communicate risk with precision and consistency.

CVSS assigns a numerical score between 0.0 and 10.0 to a vulnerability, with higher scores indicating greater severity. The scoring system is widely adopted by the National Vulnerability Database (NVD), major security vendors, CVE entries, and regulatory frameworks including PCI DSS and FedRAMP.

CVSS v3.1: The Current Standard

CVSS version 3.1, published in June 2019, is the currently recommended standard. It refines version 3.0 by clarifying the meaning of several metrics and improving scoring consistency. Version 3.1 addresses ambiguities in how Scope, Privileges Required, and Attack Complexity were interpreted, resulting in more reproducible scores across different analysts.

While CVSS v4.0 was announced in 2023, CVSS v3.1 remains the dominant version in active use across vulnerability databases, security tools, and organizational policies.

CVSS Score Severity Ratings

FIRST defines five severity qualitative ratings that map to score ranges:

RatingScore RangeDescription
None0.0No impact; not a true vulnerability
Low0.1 – 3.9Limited impact, often requiring local access or complex conditions
Medium4.0 – 6.9Moderate impact; partial exploitation possible
High7.0 – 8.9Significant impact; typically remotely exploitable
Critical9.0 – 10.0Maximum impact; network-exploitable, no authentication required

The Three CVSS Score Groups

Base Score

The Base Score represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It is composed of two metric groups: Exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope) and Impact metrics (Confidentiality, Integrity, Availability). The Base Score is the most widely reported CVSS score.

Temporal Score

The Temporal Score refines the Base Score by accounting for factors that change over time. It includes Exploit Code Maturity (is working exploit code publicly available?), Remediation Level (is a patch or workaround available?), and Report Confidence (how certain are we about the vulnerability's existence?). A newly published vulnerability with a functional exploit and no patch would score higher temporally than the same vulnerability after a patch is released.

Environmental Score

The Environmental Score allows organizations to customize the score based on their specific infrastructure and security requirements. Modified Base Metrics let you override how the vulnerability behaves in your specific environment, while Confidentiality, Integrity, and Availability Requirements let you specify how critical each impact dimension is to your organization. A vulnerability affecting a non-critical development server carries lower risk than the same vulnerability on a production payment system.

Why CVSS Matters for Security Teams

CVSS scores are the backbone of vulnerability prioritization programs. Security teams receive hundreds — sometimes thousands — of vulnerability alerts monthly. Without a standardized scoring system, teams would spend excessive time debating risk levels instead of remediating vulnerabilities. CVSS enables:

  • Consistent prioritization across teams and tooling
  • SLA enforcement — e.g., Critical vulnerabilities must be patched within 24 hours
  • Risk communication to executives and boards
  • Compliance reporting for frameworks requiring severity-based remediation
  • Integration with vulnerability management platforms (Qualys, Tenable, Rapid7)

Limitations of CVSS

While CVSS is a powerful tool, it has recognized limitations. The Base Score does not consider asset criticality, threat intelligence, or the likelihood of exploitation in a specific environment. Two vulnerabilities with identical CVSS scores may pose radically different risk levels depending on whether they are exposed to the internet, whether exploit code is actively used in the wild, or how critical the affected system is to the organization.

This is why security practitioners increasingly combine CVSS with EPSS (Exploit Prediction Scoring System), threat intelligence feeds, and asset-based risk models to achieve truly risk-based vulnerability prioritization.

How CVSS Scores Are Assigned

CVSS scores are assigned by the vulnerability's discoverer, the affected vendor, or NVD analysts using the published specification. For CVEs in the NVD, NIST analysts review vendor-assigned CVSS scores and may modify them if the scoring does not align with the specification. Tools like this CVSS Calculator allow security researchers and analysts to independently calculate and verify scores using the CVSS v3.1 formula.

FAQ

Frequently Asked Questions

CVSS (Common Vulnerability Scoring System) is the global standard for rating the severity of software security vulnerabilities. It's important because it provides a consistent, vendor-neutral language for communicating vulnerability risk, enabling security teams to prioritize remediation efforts, meet compliance requirements, and communicate risk to stakeholders with a universally understood metric.
The Base Score captures the intrinsic severity of the vulnerability independent of time or deployment context. The Temporal Score adjusts the Base based on current exploit availability and remediation status — it changes as patches are released and exploit code matures. The Environmental Score lets organizations customize the score based on their specific infrastructure, security controls, and the criticality of the affected assets.
A CVSS score of 10.0 represents the worst-case scenario: a vulnerability that is network-accessible, requires no special conditions or authentication, needs no user interaction, has Changed scope, and results in complete loss of Confidentiality, Integrity, and Availability. Examples include unauthenticated remote code execution vulnerabilities on internet-facing systems.
This calculator implements CVSS v3.1, the current version maintained by FIRST. CVSS v3.1 is the version used by NVD, CVE, and the majority of security platforms including Tenable, Qualys, and Rapid7. While CVSS v4.0 was published in 2023, v3.1 remains the dominant standard in active use.
The Base Score is derived from two sub-scores: the Impact Sub-Score (ISS) calculated from Confidentiality, Integrity, and Availability metrics, and the Exploitability Sub-Score (ESS) from Attack Vector, Attack Complexity, Privileges Required, and User Interaction. When Scope is Unchanged: Base Score = Roundup(min(ISS + ESS, 10)). When Scope is Changed, additional multipliers apply. This calculator implements the complete CVSS v3.1 formula.
Yes — this calculator implements the official CVSS v3.1 specification and can be used to calculate scores for vulnerability research and CVE submissions. However, official CVE CVSS scores are assigned by CNAs (CVE Numbering Authorities) or NVD analysts and must follow FIRST's official scoring guidelines. Always review your scores against the FIRST CVSS v3.1 specification document for submission to official databases.

Start Scoring Vulnerabilities Now

Join security professionals worldwide using SeoWebChecker to calculate, communicate, and prioritize vulnerability risk with the industry-standard CVSS framework.

⚡ Open Calculator 📖 Learn How It Works