Skip to content

CVSS Calculator

Build a Common Vulnerability Scoring System (CVSS) vector and get the base score, severity rating, and a visual metric breakdown instantly. Choose your CVSS version below to open a dedicated calculator with results that match the official FIRST.org reference calculators.

New to CVSS? Read: What is CVSS?

About CVSS scoring

How the Common Vulnerability Scoring System turns metrics into a severity rating.

CVSS is the industry-standard framework for communicating the characteristics and severity of software vulnerabilities. A base score reflects the intrinsic qualities of a vulnerability that are constant over time and across environments. It is built from exploitability metrics, which describe how a vulnerability is reached and triggered, and impact metrics, which describe the consequences to confidentiality, integrity, and availability.

These calculators focus on the base metric group, the part most commonly published in advisories and the National Vulnerability Database. Select a value for each metric and the score, severity rating, and canonical vector string update immediately. The vector string can be copied and shared, or pasted back in to reproduce a score exactly.

Base scores for CVSS 3.0, 3.1, and 4.0 are computed with the in-house implementation that powers the RadicalNotion.AI vulnerability platform, and CVSS 2.0 uses the official FIRST equations. All results are designed to match the FIRST.org reference calculators to one decimal place.

Frequently asked questions

Common questions about CVSS and how scores are produced.

What is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open, vendor-neutral standard maintained by FIRST.org for rating the severity of software vulnerabilities. It produces a numeric score from 0.0 to 10.0 along with a qualitative rating (None, Low, Medium, High, or Critical) so that organizations can compare and prioritize vulnerabilities consistently.
Which CVSS version should I use?
Use the version that matches the source of your vulnerability data. CVSS 4.0 is the latest standard and offers the most granular impact assessment, while CVSS 3.1 remains the most widely published version in the National Vulnerability Database and vendor advisories. CVSS 3.0 and 2.0 are older standards you may still encounter in historical records. Each version has its own calculator so scores and vector strings stay correct.
How is a CVSS base score calculated?
The base score is derived from two sub-scores. Exploitability metrics describe how easy the vulnerability is to reach and trigger (for example Attack Vector, Attack Complexity, Privileges Required, and User Interaction). Impact metrics describe the consequences to confidentiality, integrity, and availability. The standard formula combines these into a single value that is rounded to one decimal place. These calculators are designed to match the official FIRST.org reference calculators.
What is a CVSS vector string?
A vector string is a compact, machine-readable representation of every metric value used to produce a score, for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It begins with the version prefix and lists each metric and its selected value separated by slashes. Vector strings let anyone reproduce the exact score and are the canonical way vulnerabilities are published in advisories and the National Vulnerability Database.
How are CVSS scores mapped to severity ratings?
For CVSS 3.0, 3.1, and 4.0 the qualitative scale is: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0. CVSS 2.0 uses a simpler three-band scale with no Critical rating: Low 0.0-3.9, Medium 4.0-6.9, and High 7.0-10.0.