CVSS 3.1 Calculator
Build a CVSS 3.1 vector and get the base score, severity rating, and a visual metric breakdown instantly, with results that match the official FIRST.org reference calculator.
Base metrics
Choose a value for each metric. The score updates in real time.
Temporal, environmental, and supplemental metrics
Optional. Leave a metric “Not Defined” to exclude it. When any temporal or environmental metric is set, the score reflects that higher level.
Temporal metricsNot set
Environmental metricsNot set
Metric breakdown
A visual breakdown of the selected base metrics. Drag a point or tap a grey marker to explore how each metric shifts the score.
Why this score
Every base metric, plus any temporal/threat or environmental metric you set, and how it is contributing to the base score.
- BaseAttack Vector
Network
This metric reflects the context by which vulnerability exploitation is possible. The Base Score is larger the more remote (logically and physically) an attacker can be in order to exploit the vulnerable component.
- BaseAttack Complexity
Low
This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. The Base Score is greatest for the least complex attacks.
- BasePrivileges Required
None
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The Base Score is greatest if no privileges are required.
- BaseUser Interaction
None
This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. The Base Score is greatest when no user interaction is required.
- BaseScope
Unchanged
This metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. A scope change occurs when the impact of a vulnerability breaches a security/trust boundary.
- BaseConfidentiality
High
This metric measures the impact to the confidentiality of information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users.
- BaseIntegrity
High
This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The Base Score is greatest when the consequence to the impacted component is highest.
- BaseAvailability
High
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While Confidentiality and Integrity impact metrics apply to data, this metric refers to the loss of availability of the impacted component itself.
About CVSS 3.1
How the CVSS 3.1 base score is built from its metrics.
CVSS 3.1 is the most widely published version of the Common Vulnerability Scoring System, used throughout the National Vulnerability Database and vendor advisories. Released by FIRST.org in 2019, it keeps the metrics and qualitative scale of 3.0 while clarifying definitions and refining the scoring formula.
Select a value for each base metric below to build a CVSS 3.1 vector string and compute the base score in real time. The score, severity rating, and canonical vector string update immediately, and the vector can be copied, shared, or pasted back in to reproduce a score exactly.
Frequently asked questions
Common questions about CVSS 3.1 scoring.
- How does CVSS 3.1 differ from CVSS 3.0?
- CVSS 3.1 keeps the same metrics and qualitative scale as 3.0 but clarifies definitions and refines the formula, most notably the rounding behavior, so scores are more consistent. CVSS 3.1 is the most widely published version in the National Vulnerability Database and vendor advisories.
- What base metrics does CVSS 3.1 use?
- CVSS 3.1 base metrics are Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), and Scope (S) for exploitability and scope, plus Confidentiality (C), Integrity (I), and Availability (A) impact. Scope captures whether an exploited vulnerability can affect resources beyond its security authority.
- How is a CVSS 3.1 base score calculated?
- The base score is derived from two sub-scores. Exploitability metrics describe how easy the vulnerability is to reach and trigger, and impact metrics describe the consequences to confidentiality, integrity, and availability. The standard formula combines these into a single value rounded to one decimal place. This calculator is designed to match the official FIRST.org reference calculator to one decimal place.
- What is a CVSS 3.1 vector string?
- A vector string is a compact, machine-readable representation of every metric value used to produce a score, for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It begins with the version prefix and lists each metric and its selected value separated by slashes. Vector strings let anyone reproduce the exact score and are the canonical way vulnerabilities are published in advisories and the National Vulnerability Database.
- How are CVSS 3.1 scores mapped to severity ratings?
- CVSS 3.1 uses a five-band qualitative scale: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0. The numeric base score is rounded to one decimal place.