Calculate CVSS 4.0 and 3.1 base scores, severity ratings, and vectors locally in your browser.
None
CVSS 4.0
CVSS is owned by FIRST.Org, Inc. and used by permission. This calculator implements the Common Vulnerability Scoring System specification and is not the official FIRST calculator. See FIRST's CVSS 4.0 specification , CVSS 4.0 user guide , CVSS 3.1 specification , and CVSS 3.1 user guide .
The Common Vulnerability Scoring System (CVSS) is a standard framework for describing the technical severity of software, hardware, and firmware vulnerabilities. Security teams use CVSS vectors to communicate how a vulnerability can be exploited, what privileges are required, whether user interaction is needed, and what impact exploitation could have on confidentiality, integrity, and availability.
This CVSS calculator supports CVSS 4.0 and CVSS 3.1 base score calculations. CVSS 4.0 introduces updated metrics such as Attack Requirements and separate vulnerable-system and subsequent-system impact metrics. CVSS 3.1 remains widely used in vulnerability advisories, security reports, ticketing workflows, and vulnerability management platforms.
A CVSS score should not be treated as a complete risk decision by itself. Use the resulting score and vector as one input alongside exploit availability, internet exposure, asset criticality, compensating controls, customer impact, regulatory requirements, and your organization's risk tolerance.
Use CVSS 4.0 when you want the latest CVSS scoring model and a more expressive vulnerability vector. Use CVSS 3.1 when you need compatibility with existing advisories, scanners, security tools, or vulnerability management workflows that have not yet adopted CVSS 4.0.
This tool calculates scores locally in your browser and does not send vectors or metric selections to a server.
A CVSS vector is the compact text representation of the metric selections used to calculate a score. It lets teams share not only the final score, but also the assumptions behind that score.
CVSS 4.0 adds updated terminology and more expressive metrics, including Attack Requirements and separate vulnerable-system and subsequent-system impacts. CVSS 3.1 is still widely used by vulnerability scanners, advisories, and ticketing workflows.
No. CVSS describes technical severity. Business risk should also consider exposure, exploit availability, asset importance, compensating controls, regulatory obligations, and customer impact.
The base score measures intrinsic technical characteristics of a vulnerability, such as exploitability and impact. It does not change based on a specific organization's environment, asset value, or current threat activity.
CVSS captures technical severity, not your full operating context. Internet exposure, exploit maturity, customer impact, asset criticality, and compensating controls can make similarly scored vulnerabilities require different remediation priorities.