CVSS Calculator

CVSS (the Common Vulnerability Scoring System, FIRST.org) is the industry-standard 0–10 severity score attached to almost every CVE and pentest finding. This calculator supports both CVSS 3.1 (still the most widely deployed) and CVSS 4.0 (released 2023). Pick metrics or paste an existing vector — the score, severity band, and component sub-scores update live.

The math runs entirely in your browser — same scoring engine Vulnsy uses inside customer pentest reports, so the score you see here is the score you'd get in a production deliverable.

Vector

Score

–

Base metrics

Attack Vector (AV)

How the attacker reaches the vulnerability.

Attack Complexity (AC)

Conditions outside the attacker's control.

Privileges Required (PR)

Privileges the attacker needs before exploiting.

User Interaction (UI)

Whether a user must take an action.

Scope (S)

Whether the vuln impacts components beyond its security scope.

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

Temporal & Environmental (optional)

Exploit Code Maturity (E)

Remediation Level (RL)

Report Confidence (RC)

Confidentiality Requirement (CR)

Integrity Requirement (IR)

Availability Requirement (AR)

When to use 3.1 vs 4.0

CVSS 3.1 — default for now

Almost every CVE published before 2024 (and most after) carries a 3.1 score. Match it when you're scoring against existing advisories or your customer's vulnerability-management workflow expects 3.1.

CVSS 4.0 — newer advisories

Released November 2023. Adds Attack Requirements, splits impact into Vulnerable vs Subsequent system, and replaces Temporal with Threat (Exploit Maturity). Increasingly used by NIST, vendors, and bug-bounty programs.

Score both when reporting

In a pentest report, providing both versions lets the customer match whichever their VM tool ingests. Vulnsy stores both per-finding for exactly this reason.