CVSS Calculator

How to use

1. 1Set each of the eight base metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and the Confidentiality, Integrity, and Availability impacts.
2. 2Read the Base score and its severity rating as soon as all base metrics are chosen.
3. 3Optionally open the temporal and environmental metrics to refine the score for exploit maturity, remediation status, and your own environment.
4. 4Copy the generated CVSS v3.1 vector string to paste into a report, ticket, or CVE record.
5. 5To analyze an existing score, paste its vector into the decode box and press Load vector to fill the selectors and see the score.
6. 6Use a preset for a quick starting point, then adjust the metrics to match your case.

About this tool

CVSS Calculator scores the severity of a software vulnerability using version 3.1 of the Common Vulnerability Scoring System maintained by FIRST.org, the same standard quoted in CVE records and vendor security advisories. You pick a value for each metric and the tool produces a number from 0.0 to 10.0, a severity rating, and the canonical vector string that travels with the score. The Base score is the part everyone reports. It is built from two halves. The Exploitability sub-score looks at how the vulnerability is reached and how hard it is to abuse: Attack Vector (Network, Adjacent, Local, or Physical), Attack Complexity, the Privileges Required of the attacker, and whether separate User Interaction is needed. The Impact sub-score measures the damage to Confidentiality, Integrity, and Availability. The Scope metric ties them together: when a flaw in one component can affect resources beyond it, the score is weighted higher and the Privileges Required values change, which is exactly how the specification treats a sandbox or boundary escape. All eight base metrics are required before a score appears. Two optional metric groups refine the result and never raise the Base score on their own. Temporal metrics account for the present moment: whether a working exploit exists (Exploit Code Maturity), whether a fix is available (Remediation Level), and how trustworthy the report is (Report Confidence). Environmental metrics tailor the score to your own deployment: Confidentiality, Integrity, and Availability Requirements re-weight impact for systems where one of those matters more than the others, and the Modified base metrics let you override any base value for your network without changing the original advisory. Every value follows the published equations, including the integer-arithmetic Roundup from Appendix A of the specification, so a vector here lands on the same number as the official calculator and other conformant tools. The vector string is generated as you click and updates live, ready to paste into a ticket, a report, or a CVE submission. You can also work backward: paste a vector such as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and the selectors fill in so you can read, audit, or re-score it, with clear messages when a value or metric code is not valid. Built-in presets cover common shapes like a critical remote code execution, a reflected cross-site scripting flaw, a local privilege escalation, and a network denial of service. Everything runs in your browser as you work, so the vulnerability details you enter are never uploaded, logged, or stored.

Free to use. Works in your browser. No signup, no login.