Skip to content

CVSS 2.0 Calculator

Build a CVSS 2.0 vector and get the base score, severity rating, and a visual metric breakdown instantly, with results that match the official FIRST.org reference calculator.

New to CVSS? Read: What is CVSS?

Base metrics

Choose a value for each metric. The score updates in real time.

AV
AC
Au
C
I
A

Temporal, environmental, and supplemental metrics

Optional. Leave a metric “Not Defined” to exclude it. When any temporal or environmental metric is set, the score reflects that higher level.

Temporal metricsNot set
E
RL
RC
Environmental metricsNot set
CDP
TD
CR
IR
AR

Metric breakdown

A visual breakdown of the selected base metrics. Drag a point or tap a grey marker to explore how each metric shifts the score.

CVSS v2.0 Score Breakdown

Drag the points to see how the score would change

10
HIGH
Access VectorAccessComplexityAuthenticationConfidentialityIntegrityAvailability

About CVSS 2.0

How the CVSS 2.0 base score is built from its metrics.

CVSS 2.0 is the legacy version of the Common Vulnerability Scoring System, used in older advisories and historical National Vulnerability Database entries. It has a simpler base metric set (Access Vector, Access Complexity, Authentication, and Confidentiality, Integrity, and Availability impact) and a three-band severity scale with no Critical rating.

Select a value for each base metric below to build a CVSS 2.0 vector string and compute the base score in real time. The score, severity rating, and canonical vector string update immediately, and the vector can be copied, shared, or pasted back in to reproduce a score exactly.

Frequently asked questions

Common questions about CVSS 2.0 scoring.

Is CVSS 2.0 still used?
CVSS 2.0 was superseded by the 3.x series in 2015 and by 4.0 in 2023, but you will still encounter 2.0 scores in historical advisories and older National Vulnerability Database entries. This calculator reproduces 2.0 base scores exactly so you can interpret legacy data accurately.
What base metrics does CVSS 2.0 use?
CVSS 2.0 base metrics are Access Vector (AV), Access Complexity (AC), and Authentication (Au) for exploitability, plus Confidentiality (C), Integrity (I), and Availability (A) impact, each rated None, Partial, or Complete. CVSS 2.0 has no Scope, Attack Requirements, or subsequent-system metrics.
How is a CVSS 2.0 base score calculated?
The base score is derived from two sub-scores. Exploitability metrics describe how easy the vulnerability is to reach and trigger, and impact metrics describe the consequences to confidentiality, integrity, and availability. The standard formula combines these into a single value rounded to one decimal place. This calculator is designed to match the official FIRST.org reference calculator to one decimal place.
What is a CVSS 2.0 vector string?
A vector string is a compact, machine-readable representation of every metric value used to produce a score, for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It begins with the version prefix and lists each metric and its selected value separated by slashes. Vector strings let anyone reproduce the exact score and are the canonical way vulnerabilities are published in advisories and the National Vulnerability Database.
How are CVSS 2.0 scores mapped to severity ratings?
CVSS 2.0 uses a simpler three-band scale with no Critical or None rating: Low 0.0-3.9, Medium 4.0-6.9, and High 7.0-10.0. The numeric base score is rounded to one decimal place.