Use this professional CVSS v3.1 calculator to determine the severity of security vulnerabilities. This tool computes the Base Score based on exploitability and impact metrics, providing the official vector string for documentation.
Severity Visualization
A) What is a CVSS Calculator?
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. A CVSS calculator allows security researchers, software developers, and IT administrators to convert qualitative assessments of a bug into a quantitative numerical score ranging from 0.0 to 10.0.
This standardized system ensures that organizations can prioritize their patching efforts based on actual risk rather than subjective "high" or "low" labels that vary between vendors.
B) Formula and Explanation
The CVSS v3.1 Base Score is calculated using two primary sub-scores: Exploitability and Impact. The formula is complex and adjusts based on the "Scope" metric.
- Exploitability: Measures the ease of exploiting the vulnerability (AV, AC, PR, UI).
- Impact: Measures the consequences of a successful exploit (C, I, A).
- Scope: Determines if a vulnerability in one component affects resources in another.
If Scope is Unchanged, the score is calculated as Roundup(Minimum[(Impact + Exploitability), 10]). If Scope is Changed, the Impact sub-score is multiplied by a higher factor to reflect the increased risk to the environment.
C) Practical Examples
| Scenario | Vector String | Score | Severity |
|---|---|---|---|
| Remote SQL Injection | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 | Critical |
| Local Privilege Escalation | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 7.8 | High |
| CSRF with User Interaction | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 | Medium |
D) How to Use Step-by-Step
- Select Attack Vector: Determine if the attack is remote (Network) or requires physical access.
- Assess Complexity: Is the attack repeatable every time (Low), or does it require specific timing/conditions (High)?
- Define Privileges: Does the attacker need to be logged in as an admin, a standard user, or no one?
- Check User Interaction: Does the victim need to click a link or perform an action?
- Determine Scope: Does the exploit break out of a sandbox (Changed) or stay within the application (Unchanged)?
- Rate Impact: Assign None, Low, or High impact for Confidentiality, Integrity, and Availability.
- Review Result: The calculator automatically generates the score and severity level.
E) Key Factors in CVSS Scoring
The most significant factor in modern scoring is often Scope (S). When Scope changes (e.g., a virtual machine escape), the potential impact on the entire infrastructure increases significantly. Additionally, Attack Vector (AV) carries heavy weight; a vulnerability exploitable over the public internet (Network) is always prioritized over one requiring physical access.
F) Frequently Asked Questions (FAQ)
1. What is the latest version of CVSS?
While v4.0 was recently released, v3.1 remains the industry standard for most current CVEs.
2. What is a "Critical" score?
Any score between 9.0 and 10.0 is considered Critical.
3. Does CVSS measure risk?
CVSS measures severity. Risk also depends on the environment and the value of the asset being protected.
4. What is the Vector String?
It is a compressed textual representation of the metrics used to calculate the score (e.g., AV:N/AC:L...).
5. Why did my score go down when I changed Scope to 'Changed'?
Actually, changing Scope to 'Changed' usually increases the score because it implies the vulnerability affects other systems.
6. Can a score be 0?
Yes, if there is no impact and no exploitability, the score is 0.0 (None).
7. Who maintains the CVSS standard?
FIRST (Forum of Incident Response and Security Teams).
8. Is CVSS only for software?
While designed for software, it is often applied to hardware and firmware vulnerabilities as well.
G) Related Security Tools
- EPSS Predictor Tool - Estimates the probability of exploitation.
- NIST NVD Database - The primary repository for CVE scores.
- OWASP Risk Rating Methodology - An alternative scoring system for web applications.
- DREAD Score Calculator - A legacy risk assessment framework.