CVSS Score Calculator

CVSS Metric Inputs

Base Metrics

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

Temporal Metrics

Exploit Code Maturity (E)

Remediation Level (RL)

Report Confidence (RC)

Environmental Metrics

Confidentiality Requirement (CR)

Integrity Requirement (IR)

Availability Requirement (AR)

Modified Attack Vector (MAV)

Modified Attack Complexity (MAC)

Modified Privileges Required (MPR)

Modified User Interaction (MUI)

Modified Scope (MS)

Modified Confidentiality (MC)

Modified Integrity (MI)

Modified Availability (MA)

Reset

Result appears above this form after submission.

Example Data Table

Reference	Vector String	Base Score	Severity	Scenario
CVE-2026-1001	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	9.8	Critical	Remote unauthenticated RCE
CVE-2026-1002	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N	3.9	Low	Authenticated phishing chain
CVE-2026-1003	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	7.2	High	Privilege escalation on host
CVE-2026-1004	CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L	1.8	Low	Local maintenance abuse case

Formula Used

This calculator evaluates CVSS v3.1 using base, temporal, and environmental metrics. It computes exploitability, impact, and modified environmental values, then rounds upward to one decimal place.

ISS = 1 − [(1 − C) × (1 − I) × (1 − A)]
Impact = 6.42 × ISS when scope is unchanged
Impact = 7.52 × (ISS − 0.029) − 3.25 × (ISS − 0.02)¹⁵ when scope is changed
Exploitability = 8.22 × AV × AC × PR × UI
Base Score depends on impact, exploitability, scope, and one-decimal roundup
Temporal Score = roundup(Base × E × RL × RC)
MISS = min(1 − [(1 − CR×MC) × (1 − IR×MI) × (1 − AR×MA)], 0.915)
Environmental Score uses modified base metrics, requirements, and temporal multipliers

How to Use This Calculator

Select the base metrics that best describe the vulnerability.
Add temporal values when exploit maturity or remediation status matters.
Adjust environmental settings for the affected organization or asset.
Click the calculation button to generate scores and vector output.
Review the chart, severity ratings, and subscores for context.
Export the result as CSV or PDF for reporting workflows.

FAQs

1. What does CVSS measure?

CVSS measures technical severity, not full business risk. It standardizes how exploitability and impact are described so teams can compare vulnerabilities consistently.

2. Why are there three scores here?

Base reflects intrinsic severity. Temporal adjusts for exploit maturity and remediation. Environmental tailors scoring to your environment, requirements, and deployed conditions.

3. What is the vector string used for?

The vector string compresses all selected metric values into one standardized format. It makes sharing, reproducing, and validating a score much easier.

4. Why can scope change increase the score?

Changed scope means compromise crosses a security boundary. That can raise impact because the vulnerable component affects resources beyond its original authority.

5. Should I always fill environmental metrics?

No. Use them when local deployment conditions matter. If not defined, the calculator falls back to the base values for a more general score.

6. Why does roundup matter in CVSS?

CVSS uses a strict upward rounding rule to one decimal place. Standard decimal rounding can produce different scores and inconsistent reporting.

7. Can this replace vulnerability prioritization?

No. Prioritization should also include asset value, exploit activity, exposure, detections, compensating controls, and business impact alongside CVSS.

8. Is a high base score always critical for my organization?

Not always. A high base score can become less urgent if the asset is isolated, protected, or low value. Environmental context is important.