Attack Surface Area Calculator
Calculate your application attack surface from endpoints, weighting by exposure type. Public (3x), authenticated (2x), internal (1x) scoring.
CVSS Score Calculator
Calculate CVSS v3.1 Base Score from attack vector, complexity, privileges, user interaction, scope, and CIA impact metrics.
Exploitability Metrics
Impact Metrics
Base Score⧉
9.8
Critical
Impact⧉
5.9
Exploitability⧉
3.9
Planning notes, formulas, and examples
About the CVSS Score Calculator
The Common Vulnerability Scoring System (CVSS) v3.1 is the industry standard for rating the severity of security vulnerabilities. The Base Score ranges from 0.0 to 10.0 and is computed from eight metrics that capture how the vulnerability can be exploited (attack vector, complexity, privileges required, user interaction) and what impact it has (confidentiality, integrity, availability) within or beyond the vulnerable component's scope.
This calculator implements the full CVSS v3.1 Base Score algorithm. Select the appropriate value for each metric and see the resulting score and severity rating (None, Low, Medium, High, Critical). It's useful for security analysts filing vulnerability reports, development teams triaging security bugs, and anyone who needs to understand or communicate vulnerability severity.
When This Page Helps
CVSS scores are required for CVE submissions, vulnerability management prioritization, and compliance reporting. This calculator eliminates working by hand and ensures consistent scoring. The visual breakdown helps teams understand which factors contribute most to a vulnerability's severity.
How to Use the Inputs
- Select the Attack Vector: Network, Adjacent, Local, or Physical.
- Select the Attack Complexity: Low or High.
- Select the Privileges Required: None, Low, or High.
- Select the User Interaction: None or Required.
- Select the Scope: Unchanged or Changed.
- Set the Confidentiality, Integrity, and Availability Impact: None, Low, or High.
- View the computed CVSS Base Score and severity rating.
Formula used
ISS = 1 − [(1 − C) × (1 − I) × (1 − A)]. Impact (Unchanged) = 6.42 × ISS. Impact (Changed) = 7.52 × [ISS − 0.029] − 3.25 × [ISS − 0.02]^15. Exploitability = 8.22 × AV × AC × PR × UI. Base = roundup(min(Impact + Exploitability, 10)).Example Calculation
Result: 9.8 Critical
A network-accessible vulnerability requiring no privileges, no user interaction, with low complexity and high impact across all three CIA pillars scores 9.8 (Critical). This represents a remotely exploitable, easy-to-exploit vulnerability with total system compromise — like a remote code execution with no authentication.
Tips & Best Practices
- Always use the CVSS v3.1 specification for consistent scoring across your organization.
- Scope Changed means the vulnerability impacts components beyond its own security authority.
- Temporal and Environmental scores can refine the base score for your specific context.
- A high CVSS score doesn't always mean high real-world risk — consider exploitability in your environment.
- Document scoring rationale for each metric to ensure consistency across analysts.
- Use CVSS to prioritize but supplement with threat intelligence for remediation urgency.
Understanding CVSS v3.1 Metrics
The eight base metrics are divided into Exploitability metrics (AV, AC, PR, UI) and Impact metrics (C, I, A), with Scope (S) bridging both. Each metric has defined values with specific numeric weights used in the score calculation.
Exploitability Metrics
Attack Vector (AV): Network (0.85), Adjacent (0.62), Local (0.55), Physical (0.20). Attack Complexity (AC): Low (0.77), High (0.44). Privileges Required (PR): None (0.85), Low (0.62/0.68), High (0.27/0.50). User Interaction (UI): None (0.85), Required (0.62).
Impact Metrics
Confidentiality, Integrity, and Availability: High (0.56), Low (0.22), None (0). These combine into the Impact Sub-Score using the ISS formula, which is then modified based on whether Scope is Changed or Unchanged.
When CVSS Falls Short
CVSS doesn't consider exploit maturity, real-world prevalence, or organizational context. Supplement CVSS with EPSS (Exploit Prediction Scoring System), threat intelligence feeds, and asset criticality assessments for a complete risk picture.
Sources & Methodology
Last updated:
Frequently Asked Questions
None: 0.0. Low: 0.1–3.9. Medium: 4.0–6.9. High: 7.0–8.9. Critical: 9.0–10.0. These ratings help quickly communicate vulnerability urgency. Critical and High typically require immediate remediation.
Scope is Changed when a vulnerability in one component impacts resources beyond that component's security scope. For example, a VM escape vulnerability has Changed scope because the vulnerability in the VM impacts the host. This increases the overall score.
In CVSS v3.1, the Privileges Required metric has different weights depending on whether Scope is Changed or Unchanged. This reflects that privilege escalation across scope boundaries is more impactful.
No. CVSS Base Score measures theoretical severity in isolation. Effective prioritization also considers: exploit availability, whether the vulnerability is being actively exploited, asset criticality, and compensating controls. CVSS is one input to risk-based prioritization.
Confidentiality (C): data exposure risk. Integrity (I): data modification risk. Availability (A): service disruption risk. Each is rated None, Low, or High based on the impact if the vulnerability is exploited.
CVSS v4.0 adds more granular metrics including Attack Requirements, updated Scope handling via Vulnerable/Subsequent System impact, and Supplemental metrics. It aims to reduce scoring subjectivity and better reflect real-world risk.
More in this topic
Brute Force Time Calculator
Calculate brute-force attack time for any keyspace. Compare online, offline, and GPU attack speeds to assess password and key security.
Bug Bounty ROI Calculator
Calculate bug bounty program ROI from bounty payouts, management costs, and estimated breach prevention value. Justify your bounty budget.