CVSS 3.1 Calculator
Pick the eight CVSS v3.1 base metrics for a vulnerability and get the base score, severity rating and vector string instantly. The math follows the official FIRST.org specification, including the exact roundup rule.
How to calculate a CVSS score
- Choose a value for each base metric: Attack Vector, Complexity, Privileges, User Interaction and Scope.
- Set the Confidentiality, Integrity and Availability impact for the affected component.
- Read off the base score, severity band and the vector string, then copy the vector to your report.
Examples
Critical remote vulnerability
AV:N AC:L PR:N UI:N S:U C:H I:H A:H
9.8 (Critical), CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Log4Shell (CVE-2021-44228), scope changed
AV:N AC:L PR:N UI:N S:C C:H I:H A:H
10.0 (Critical)
Frequently asked questions
Which CVSS version does this use?
CVSS version 3.1, the current FIRST.org standard. The base-score formula and the roundup function match the specification exactly, so results agree with the official NVD calculator.
What is the difference between Scope Unchanged and Changed?
Scope changes when an exploited component can affect resources beyond its own security authority, for example escaping a sandbox. A changed scope raises both the impact and the privileges-required weighting, so it usually increases the score.
How do scores map to severity ratings?
0.0 is None, 0.1 to 3.9 is Low, 4.0 to 6.9 is Medium, 7.0 to 8.9 is High and 9.0 to 10.0 is Critical.
Does this include temporal or environmental metrics?
No. This calculates the base score only, which is what most advisories and CVE records publish. Temporal and environmental metrics adjust the base score for a specific time and environment.
Is my vector data sent anywhere?
No. The calculation runs entirely in your browser. Nothing about the vulnerability you are scoring is uploaded or stored.
Related tools
Security Headers Analyzer
Paste raw HTTP response headers and get a graded report of your security headers, with severity ratings and copy-paste fixes. Runs in your browser.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.
Hash Identifier
Identify the likely hash algorithm of a string by its length, character set and prefix. Detects MD5, SHA, bcrypt and more. Runs in your browser.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
HMAC Generator
Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384 or SHA-512. Verify webhook and API signatures, with hex or base64 output.
Htpasswd Generator
Generate an Apache .htpasswd line (username plus {SHA} or plain password) for basic auth. Hashed in your browser, nothing is uploaded.