CVSS Calculator

CVSS (Common Vulnerability Scoring System) is an open standard for rating the severity of software vulnerabilities on a 0.0–10.0 scale. A vulnerability is described by a vector of metrics (how it is exploited, what it impacts), which a formula turns into a numeric base score and a qualitative rating from None to Critical.

CVSS v4.0 (2023) refines v3.1 with finer-grained metrics: it splits impact into the vulnerable system and subsequent systems, adds Attack Requirements (AT) and a renamed Exploit Maturity (Threat) group, and replaces the single formula with a MacroVector lookup. v3.1 (2019) was a clarification of v3.0 that fixed rounding and the environmental impact formula. Scores are not directly comparable across versions.

The base score reflects the intrinsic, version-independent severity of a vulnerability. The temporal score (called Threat in v4.0) adjusts it for the current state of exploitation. The environmental score tailors it to your own environment via security requirements and modified base metrics. Most published scores (e.g. on NVD) are base scores.

For CVSS v3.x and v4.0: 0.0 is None, 0.1–3.9 Low, 4.0–6.9 Medium, 7.0–8.9 High and 9.0–10.0 Critical. CVSS v2.0 uses three bands only: 0.0–3.9 Low, 4.0–6.9 Medium and 7.0–10.0 High.

For v2 and v3 the score is a closed-form formula over the metric weights (exploitability and impact sub-scores combined and rounded). For v4.0 the metrics are reduced to an equivalence class ("MacroVector") whose score is looked up and then interpolated by the mean severity distance to the worst case. This calculator computes all of them in your browser, matching the official FIRST.org reference to the published one-decimal score.