CVSS 4.0 Calculator
Build a CVSS 4.0 vector and get the base score, severity rating, and a visual metric breakdown instantly, with results that match the official FIRST.org reference calculator.
Base metrics
Choose a value for each metric. The score updates in real time.
Temporal, environmental, and supplemental metrics
Optional. Leave a metric “Not Defined” to exclude it. When any temporal or environmental metric is set, the score reflects that higher level.
Threat metricsNot set
Environmental metricsNot set
Supplemental metricsNot set
Metric breakdown
A visual breakdown of the selected base metrics. Drag a point or tap a grey marker to explore how each metric shifts the score.
Why this score
Every base metric, plus any temporal/threat or environmental metric you set, and how it is contributing to the base score.
- BaseAttack Vector
Network
This metric reflects the context by which vulnerability exploitation is possible. The more remote (logically and physically) an attacker can be, the greater the severity.
- BaseAttack Complexity
Low
This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit.
- BaseAttack Requirements
None
This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques as their primary purpose is not to explicitly mitigate attacks.
- BasePrivileges Required
None
This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack is outside the scope of this metric.
- BaseUser Interaction
None
This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user must participate in some manner.
- BaseVulnerability Confidentiality
High
This metric measures the impact to the confidentiality of information managed by the vulnerable system. Confidentiality refers to limiting information access and disclosure to only authorized users.
- BaseVulnerability Integrity
High
This metric measures the impact to the integrity of the vulnerable system. Integrity refers to the trustworthiness and veracity of information.
- BaseVulnerability Availability
High
This metric measures the impact to the availability of the vulnerable system. Availability refers to the accessibility of information resources.
- BaseSubsequent Confidentiality
None
This metric measures the impact to the confidentiality of information managed by systems beyond the vulnerable system. This captures impacts that occur outside the vulnerable system's security scope.
- BaseSubsequent Integrity
None
This metric measures the impact to the integrity of systems beyond the vulnerable system. This captures impacts that breach the vulnerable system's security boundary.
- BaseSubsequent Availability
None
This metric measures the impact to the availability of systems beyond the vulnerable system. This captures availability impacts that extend beyond the vulnerable component itself.
About CVSS 4.0
How the CVSS 4.0 base score is built from its metrics.
CVSS 4.0 is the latest version of the Common Vulnerability Scoring System, released by FIRST.org in 2023. It refines the model from 3.1 with separate impact metrics for the vulnerable system (VC, VI, VA) and any subsequent system (SC, SI, SA), an Attack Requirements (AT) metric, and an expanded User Interaction metric (None, Passive, Active).
Select a value for each base metric below to build a CVSS 4.0 vector string and compute the base score in real time. The score, severity rating, and canonical vector string update immediately, and the vector can be copied, shared, or pasted back in to reproduce a score exactly.
Frequently asked questions
Common questions about CVSS 4.0 scoring.
- What is new in CVSS 4.0 compared to 3.1?
- CVSS 4.0, released in 2023, refines the model introduced in 3.1. It removes the Scope metric and replaces it with separate Vulnerable System (VC/VI/VA) and Subsequent System (SC/SI/SA) impact metrics, adds an Attack Requirements (AT) metric, expands User Interaction to Passive and Active, and introduces Supplemental metrics such as Automatable, Recovery, and Safety. The goal is finer-grained, more accurate severity assessment, especially for vulnerabilities that affect downstream systems.
- What base metrics does CVSS 4.0 use?
- CVSS 4.0 base metrics are Attack Vector (AV), Attack Complexity (AC), Attack Requirements (AT), Privileges Required (PR), and User Interaction (UI) for exploitability, plus separate impact metrics for the Vulnerable System (VC/VI/VA) and the Subsequent System (SC/SI/SA). It replaces the single Scope metric from 3.x with these distinct vulnerable and subsequent system impacts.
- How is a CVSS 4.0 base score calculated?
- The base score is derived from two sub-scores. Exploitability metrics describe how easy the vulnerability is to reach and trigger, and impact metrics describe the consequences to confidentiality, integrity, and availability. The standard formula combines these into a single value rounded to one decimal place. This calculator is designed to match the official FIRST.org reference calculator to one decimal place.
- What is a CVSS 4.0 vector string?
- A vector string is a compact, machine-readable representation of every metric value used to produce a score, for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It begins with the version prefix and lists each metric and its selected value separated by slashes. Vector strings let anyone reproduce the exact score and are the canonical way vulnerabilities are published in advisories and the National Vulnerability Database.
- How are CVSS 4.0 scores mapped to severity ratings?
- CVSS 4.0 uses the same five-band qualitative scale as 3.x: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0. The numeric base score is rounded to one decimal place.