Skip to content

CVSS 3.1 Calculator

Build a CVSS 3.1 vector and get the base score, severity rating, and a visual metric breakdown instantly, with results that match the official FIRST.org reference calculator.

New to CVSS? Read: What is CVSS?

Base metrics

Choose a value for each metric. The score updates in real time.

AV
AC
PR
UI
S
C
I
A

Temporal, environmental, and supplemental metrics

Optional. Leave a metric “Not Defined” to exclude it. When any temporal or environmental metric is set, the score reflects that higher level.

Temporal metricsNot set
E
RL
RC
Environmental metricsNot set
CR
IR
AR
MAV
MAC
MPR
MUI
MS
MC
MI
MA

Metric breakdown

A visual breakdown of the selected base metrics. Drag a point or tap a grey marker to explore how each metric shifts the score.

CVSS v3.1 Score Breakdown

Drag the points to see how the score would change

9.8
CRITICAL
Attack VectorAttackComplexityPrivilegesRequiredUserInteractionScopeConfidentialityIntegrityAvailability

About CVSS 3.1

How the CVSS 3.1 base score is built from its metrics.

CVSS 3.1 is the most widely published version of the Common Vulnerability Scoring System, used throughout the National Vulnerability Database and vendor advisories. Released by FIRST.org in 2019, it keeps the metrics and qualitative scale of 3.0 while clarifying definitions and refining the scoring formula.

Select a value for each base metric below to build a CVSS 3.1 vector string and compute the base score in real time. The score, severity rating, and canonical vector string update immediately, and the vector can be copied, shared, or pasted back in to reproduce a score exactly.

Frequently asked questions

Common questions about CVSS 3.1 scoring.

How does CVSS 3.1 differ from CVSS 3.0?
CVSS 3.1 keeps the same metrics and qualitative scale as 3.0 but clarifies definitions and refines the formula, most notably the rounding behavior, so scores are more consistent. CVSS 3.1 is the most widely published version in the National Vulnerability Database and vendor advisories.
What base metrics does CVSS 3.1 use?
CVSS 3.1 base metrics are Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), and Scope (S) for exploitability and scope, plus Confidentiality (C), Integrity (I), and Availability (A) impact. Scope captures whether an exploited vulnerability can affect resources beyond its security authority.
How is a CVSS 3.1 base score calculated?
The base score is derived from two sub-scores. Exploitability metrics describe how easy the vulnerability is to reach and trigger, and impact metrics describe the consequences to confidentiality, integrity, and availability. The standard formula combines these into a single value rounded to one decimal place. This calculator is designed to match the official FIRST.org reference calculator to one decimal place.
What is a CVSS 3.1 vector string?
A vector string is a compact, machine-readable representation of every metric value used to produce a score, for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It begins with the version prefix and lists each metric and its selected value separated by slashes. Vector strings let anyone reproduce the exact score and are the canonical way vulnerabilities are published in advisories and the National Vulnerability Database.
How are CVSS 3.1 scores mapped to severity ratings?
CVSS 3.1 uses a five-band qualitative scale: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0. The numeric base score is rounded to one decimal place.