Skip to content

CVSS 3.0 Calculator

Build a CVSS 3.0 vector and get the base score, severity rating, and a visual metric breakdown instantly, with results that match the official FIRST.org reference calculator.

New to CVSS? Read: What is CVSS?

Base metrics

Choose a value for each metric. The score updates in real time.

AV
AC
PR
UI
S
C
I
A

Temporal, environmental, and supplemental metrics

Optional. Leave a metric “Not Defined” to exclude it. When any temporal or environmental metric is set, the score reflects that higher level.

Temporal metricsNot set
E
RL
RC
Environmental metricsNot set
CR
IR
AR
MAV
MAC
MPR
MUI
MS
MC
MI
MA

Metric breakdown

A visual breakdown of the selected base metrics. Drag a point or tap a grey marker to explore how each metric shifts the score.

CVSS v3.0 Score Breakdown

Drag the points to see how the score would change

9.8
CRITICAL
Attack VectorAttackComplexityPrivilegesRequiredUserInteractionScopeConfidentialityIntegrityAvailability

About CVSS 3.0

How the CVSS 3.0 base score is built from its metrics.

CVSS 3.0 is the first release of the 3.x series of the Common Vulnerability Scoring System, introduced by FIRST.org in 2015. It uses the same base metrics as 3.1, including the Scope metric, but its scoring formula rounds slightly differently, so 3.0 scores are reproduced with a dedicated calculator.

Select a value for each base metric below to build a CVSS 3.0 vector string and compute the base score in real time. The score, severity rating, and canonical vector string update immediately, and the vector can be copied, shared, or pasted back in to reproduce a score exactly.

Frequently asked questions

Common questions about CVSS 3.0 scoring.

Should I use CVSS 3.0 or 3.1?
CVSS 3.1 superseded 3.0 in 2019 and is the recommended choice for new scoring because it clarifies definitions and rounding. CVSS 3.0 remains relevant for reproducing or interpreting scores that were originally published under the 3.0 standard.
What base metrics does CVSS 3.0 use?
CVSS 3.0 base metrics are Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), and Scope (S), plus Confidentiality (C), Integrity (I), and Availability (A) impact. The metric set is identical to 3.1; only the scoring formula differs slightly in its rounding behavior.
How is a CVSS 3.0 base score calculated?
The base score is derived from two sub-scores. Exploitability metrics describe how easy the vulnerability is to reach and trigger, and impact metrics describe the consequences to confidentiality, integrity, and availability. The standard formula combines these into a single value rounded to one decimal place. This calculator is designed to match the official FIRST.org reference calculator to one decimal place.
What is a CVSS 3.0 vector string?
A vector string is a compact, machine-readable representation of every metric value used to produce a score, for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It begins with the version prefix and lists each metric and its selected value separated by slashes. Vector strings let anyone reproduce the exact score and are the canonical way vulnerabilities are published in advisories and the National Vulnerability Database.
How are CVSS 3.0 scores mapped to severity ratings?
CVSS 3.0 uses a five-band qualitative scale: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0. The numeric base score is rounded to one decimal place. The 3.1 revision kept this scale but refined the rounding rules in the formula.