CVSS 4.0 Calculator
Build a CVSS 4.0 vector and get the base score, severity rating, and a visual metric breakdown instantly, with results that match the official FIRST.org reference calculator.
Base metrics
Choose a value for each metric. The score updates in real time.
Temporal, environmental, and supplemental metrics
Optional. Leave a metric “Not Defined” to exclude it. When any temporal or environmental metric is set, the score reflects that higher level.
Threat metricsNot set
Environmental metricsNot set
Supplemental metricsNot set
Metric breakdown
A visual breakdown of the selected base metrics. Drag a point or tap a grey marker to explore how each metric shifts the score.
CVSS v4.0 Score Breakdown
Drag the points to see how the score would change
About CVSS 4.0
How the CVSS 4.0 base score is built from its metrics.
CVSS 4.0 is the latest version of the Common Vulnerability Scoring System, released by FIRST.org in 2023. It refines the model from 3.1 with separate impact metrics for the vulnerable system (VC, VI, VA) and any subsequent system (SC, SI, SA), an Attack Requirements (AT) metric, and an expanded User Interaction metric (None, Passive, Active).
Select a value for each base metric below to build a CVSS 4.0 vector string and compute the base score in real time. The score, severity rating, and canonical vector string update immediately, and the vector can be copied, shared, or pasted back in to reproduce a score exactly.
Frequently asked questions
Common questions about CVSS 4.0 scoring.
- What is new in CVSS 4.0 compared to 3.1?
- CVSS 4.0, released in 2023, refines the model introduced in 3.1. It removes the Scope metric and replaces it with separate Vulnerable System (VC/VI/VA) and Subsequent System (SC/SI/SA) impact metrics, adds an Attack Requirements (AT) metric, expands User Interaction to Passive and Active, and introduces Supplemental metrics such as Automatable, Recovery, and Safety. The goal is finer-grained, more accurate severity assessment, especially for vulnerabilities that affect downstream systems.
- What base metrics does CVSS 4.0 use?
- CVSS 4.0 base metrics are Attack Vector (AV), Attack Complexity (AC), Attack Requirements (AT), Privileges Required (PR), and User Interaction (UI) for exploitability, plus separate impact metrics for the Vulnerable System (VC/VI/VA) and the Subsequent System (SC/SI/SA). It replaces the single Scope metric from 3.x with these distinct vulnerable and subsequent system impacts.
- How is a CVSS 4.0 base score calculated?
- The base score is derived from two sub-scores. Exploitability metrics describe how easy the vulnerability is to reach and trigger, and impact metrics describe the consequences to confidentiality, integrity, and availability. The standard formula combines these into a single value rounded to one decimal place. This calculator is designed to match the official FIRST.org reference calculator to one decimal place.
- What is a CVSS 4.0 vector string?
- A vector string is a compact, machine-readable representation of every metric value used to produce a score, for example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It begins with the version prefix and lists each metric and its selected value separated by slashes. Vector strings let anyone reproduce the exact score and are the canonical way vulnerabilities are published in advisories and the National Vulnerability Database.
- How are CVSS 4.0 scores mapped to severity ratings?
- CVSS 4.0 uses the same five-band qualitative scale as 3.x: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0. The numeric base score is rounded to one decimal place.
