What is the difference between Base, Temporal, and Environmental scores?

The Base Score represents the intrinsic characteristics of a vulnerability that remain constant over time. The Temporal Score adjusts the Base Score based on factors that change over time, such as exploit availability and patch status. The Environmental Score further customizes the score based on your specific organizational security requirements and asset importance.

What do the CVSS severity ratings mean?

CVSS v3.1 uses five severity ratings: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). These ratings help security teams prioritize which vulnerabilities to address first, with Critical and High vulnerabilities typically requiring immediate attention.

Can I share my CVSS calculation with others?

Yes, this calculator generates a shareable URL that includes the complete CVSS vector string. You can copy this URL and share it with colleagues, security teams, or include it in vulnerability reports. The recipient will see the exact same metrics and scores when they open the link.

What is the Attack Vector metric and how does it affect the score?

Attack Vector describes how a vulnerability can be exploited. Network (highest impact) means the attack can be launched remotely, Adjacent requires local network access, Local requires system access, and Physical requires physical device access. A Network attack vector typically results in higher scores because it allows remote exploitation without requiring proximity to the target.

How does the Scope metric impact the CVSS score?

The Scope metric indicates whether exploiting a vulnerability can affect resources beyond the vulnerable component. When Scope is Changed, the vulnerability can impact other components (like escaping a sandbox), which typically increases the overall score. When Unchanged, only the vulnerable component is affected.

Home/Tools/Security/CVSS Calculator

CVSS Calculator

Calculate CVSS v3.1 vulnerability severity scores with Base, Temporal, and Environmental metrics. Generate vector strings and severity ratings.

Need Professional Security Testing?

Our penetration testers find vulnerabilities before attackers do. Get a comprehensive security assessment.

Learn About Penetration Testing Explore Risk Assessment

What Is CVSS

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the severity of software vulnerabilities. Maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a standardized numerical score from 0.0 to 10.0 that reflects the technical severity of a vulnerability, helping organizations prioritize remediation efforts.

CVSS is the de facto standard used by the National Vulnerability Database (NVD), vulnerability scanners like Nessus and Qualys, and compliance frameworks including PCI DSS and FedRAMP. Understanding how CVSS scores are calculated enables security teams to make informed patching decisions rather than treating every vulnerability as equally urgent.

How CVSS Scoring Works

CVSS 3.1 (the current widely-deployed version) calculates scores using three metric groups:

Base Score Metrics

Metric	Options	Measures
Attack Vector (AV)	Network, Adjacent, Local, Physical	How the attacker reaches the vulnerability
Attack Complexity (AC)	Low, High	Conditions beyond attacker control required for exploitation
Privileges Required (PR)	None, Low, High	Authentication level needed
User Interaction (UI)	None, Required	Whether a victim must take action
Scope (S)	Unchanged, Changed	Whether exploitation impacts resources beyond the vulnerable component
Confidentiality (C)	None, Low, High	Impact on information disclosure
Integrity (I)	None, Low, High	Impact on data modification
Availability (A)	None, Low, High	Impact on system accessibility

Severity Ratings

Score Range	Severity	Typical Response
0.0	None	No action needed
0.1 - 3.9	Low	Patch in next maintenance window
4.0 - 6.9	Medium	Patch within 30 days
7.0 - 8.9	High	Patch within 1-2 weeks
9.0 - 10.0	Critical	Immediate patching or mitigation

Common Use Cases

Vulnerability prioritization: Rank hundreds of scanner findings by CVSS score to focus remediation on the most severe issues first
SLA definition: Establish patching timelines tied to CVSS severity levels in your vulnerability management policy
Risk communication: Translate technical vulnerability details into a standardized score that non-technical stakeholders can understand
Compliance evidence: PCI DSS Requirement 6.1 requires ranking vulnerabilities by risk — CVSS provides the recognized methodology
Vendor comparisons: Evaluate the security track record of third-party software by analyzing historical CVSS distributions

Best Practices

Use Environmental metrics for context — The Base Score reflects generic severity. Use the Environmental metric group to adjust scores based on your specific deployment: a network-accessible vulnerability in an air-gapped system is less critical than the base score suggests.
Don't ignore Medium-severity findings — Organizations that only patch Critical and High CVEs accumulate a growing attack surface of exploitable Medium vulnerabilities. Address these within defined SLAs.
Combine CVSS with exploit intelligence — A CVSS 7.5 vulnerability with a public Metasploit module poses more immediate risk than a CVSS 9.0 with no known exploit. Cross-reference with CISA KEV, Exploit-DB, and threat intelligence feeds.
Understand CVSS 4.0 changes — CVSS 4.0 introduces granular attack requirements, updated environmental metrics, and supplemental metrics for automatable attacks and recovery. Plan your transition from 3.1 to 4.0.
Document your scoring rationale — When you adjust scores using Temporal or Environmental metrics, record why. Auditors and future analysts need to understand your risk acceptance decisions.

Frequently Asked Questions

Common questions about the CVSS Calculator

CVSS (Common Vulnerability Scoring System) is an industry-standard framework for rating the severity of security vulnerabilities. It is important because it provides a consistent way for organizations to prioritize vulnerability remediation efforts based on the potential impact to confidentiality, integrity, and availability of systems.

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.