How to read a CVSS vector string
Last reviewed June 2, 2026
A CVSS vector string is a compact, machine-readable summary of every metric used to calculate a score. It starts with the version prefix (such as CVSS:3.1) followed by slash-separated metric:value pairs. Reading it left to right tells you exactly how the score was derived, so you can audit or recalculate it.
Anatomy of a vector string
Take the example CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The first segment, CVSS:3.1, declares the version. Every segment after it is a metric abbreviation, a colon, and a value abbreviation. This vector scores 9.8 (Critical): network-reachable, low complexity, no privileges or interaction needed, and full impact on all three security properties.
The Base metrics, decoded
The Base group always appears first and is required. Here is what each abbreviation in the v3.1 example means.
| Code | Metric | Example value |
|---|---|---|
| AV | Attack Vector | N (Network) |
| AC | Attack Complexity | L (Low) |
| PR | Privileges Required | N (None) |
| UI | User Interaction | N (None) |
| S | Scope | U (Unchanged) |
| C | Confidentiality Impact | H (High) |
| I | Integrity Impact | H (High) |
| A | Availability Impact | H (High) |
Common value abbreviations
- Attack Vector (AV): N Network, A Adjacent, L Local, P Physical.
- Attack Complexity (AC): L Low, H High.
- Privileges Required (PR): N None, L Low, H High.
- User Interaction (UI): N None, R Required (v3.1) or N/P/A Passive/Active in v4.0.
- Impact metrics (C/I/A): N None, L Low, H High.
Vectors look different across versions
A v4.0 vector starts with CVSS:4.0 and splits impact into the vulnerable system (VC, VI, VA) and the subsequent system (SC, SI, SA), and it adds an Attack Requirements (AT) metric. A v2.0 vector has no version prefix in many tools and uses AV, AC, Au, C, I, A. Always check the prefix before interpreting the codes.
Verifying a score from a vector
Because the vector contains every input, you can paste it into a CVSS calculator to reproduce the score exactly. This is useful when a vendor and a national database publish different numbers, since comparing vectors shows precisely which metric they disagreed on.
Keep exploring
Frequently asked questions
- What does CVSS:3.1 at the start of a vector mean?
- It is the version prefix. CVSS:3.1 means the vector and its score use the CVSS version 3.1 specification. CVSS:4.0 and CVSS:3.0 are other prefixes you may see.
- What does AV:N mean in a CVSS vector?
- AV:N means Attack Vector is Network, so the vulnerability can be exploited remotely across a network rather than requiring local or physical access.
- Can I recalculate a score from just the vector?
- Yes. The vector string contains every metric value used in the calculation, so pasting it into a CVSS calculator reproduces the exact score.
- Why do v4.0 vectors have more letters?
- CVSS v4.0 splits impact into vulnerable-system (VC, VI, VA) and subsequent-system (SC, SI, SA) metrics and adds Attack Requirements (AT), so its vectors carry more metric pairs than v3.1.
