Skip to content

CVSS 3.0 Calculator

Build a CVSS 3.0 vector and get the base score, severity rating, and a visual metric breakdown instantly, with results that match the official FIRST.org reference calculator.

New to CVSS? Read: What is CVSS?

9.8CRITICALCVSS 3.0 base score

Base metrics

Choose a value for each metric. The score updates in real time.

AV
AC
PR
UI
S
C
I
A

Temporal, environmental, and supplemental metrics

Optional. Leave a metric “Not Defined” to exclude it. When any temporal or environmental metric is set, the score reflects that higher level.

Temporal metricsNot set
E
RL
RC
Environmental metricsNot set
CR
IR
AR
MAV
MAC
MPR
MUI
MS
MC
MI
MA

Metric breakdown

A visual breakdown of the selected base metrics. Drag a point or tap a grey marker to explore how each metric shifts the score.

Why this score

Every base metric, plus any temporal/threat or environmental metric you set, and how it is contributing to the base score.

  • BaseAttack Vector

    Network

    This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

  • BaseAttack Complexity

    Low

    This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions.

  • BasePrivileges Required

    None

    This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required.

  • BaseUser Interaction

    None

    This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

  • BaseScope

    Unchanged

    Formally, Scope refers to the collection of privileges defined by a computing authority when granting access to computing resources. When a vulnerability in one component is able to affect resources governed by another authorization scope, a Scope change has occurred.

  • BaseConfidentiality Impact

    High

    This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users.

  • BaseIntegrity Impact

    High

    This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

  • BaseAvailability Impact

    High

    This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to the loss of availability of the impacted component itself, such as a networked service.

About CVSS 3.0

How the CVSS 3.0 base score is built from its metrics.

CVSS 3.0 is the first release of the 3.x series of the Common Vulnerability Scoring System, introduced by FIRST.org in 2015. It uses the same base metrics as 3.1, including the Scope metric, but its scoring formula rounds slightly differently, so 3.0 scores are reproduced with a dedicated calculator.

Select a value for each base metric below to build a CVSS 3.0 vector string and compute the base score in real time. The score, severity rating, and canonical vector string update immediately, and the vector can be copied, shared, or pasted back in to reproduce a score exactly.

Frequently asked questions

Common questions about CVSS 3.0 scoring.

Should I use CVSS 3.0 or 3.1?
CVSS 3.1 superseded 3.0 in 2019 and is the recommended choice for new scoring because it clarifies definitions and rounding. CVSS 3.0 remains relevant for reproducing or interpreting scores that were originally published under the 3.0 standard.
What base metrics does CVSS 3.0 use?
CVSS 3.0 base metrics are Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), and Scope (S), plus Confidentiality (C), Integrity (I), and Availability (A) impact. The metric set is identical to 3.1; only the scoring formula differs slightly in its rounding behavior.
How is a CVSS 3.0 base score calculated?
The base score is derived from two sub-scores. Exploitability metrics describe how easy the vulnerability is to reach and trigger, and impact metrics describe the consequences to confidentiality, integrity, and availability. The standard formula combines these into a single value rounded to one decimal place. This calculator is designed to match the official FIRST.org reference calculator to one decimal place.
What is a CVSS 3.0 vector string?
A vector string is a compact, machine-readable representation of every metric value used to produce a score, for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It begins with the version prefix and lists each metric and its selected value separated by slashes. Vector strings let anyone reproduce the exact score and are the canonical way vulnerabilities are published in advisories and the National Vulnerability Database.
How are CVSS 3.0 scores mapped to severity ratings?
CVSS 3.0 uses a five-band qualitative scale: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0. The numeric base score is rounded to one decimal place. The 3.1 revision kept this scale but refined the rounding rules in the formula.