CVSS v3.1 Calculator
Eight base metrics in, base score plus canonical vector string out. Implementation follows the FIRST.org v3.1 specification including the Privileges-Required-by-Scope weighting and CVSS-specific rounding.
Adjust the eight base metrics — the score, severity and vector update live.
Treat as an emergency change. Patch or apply a compensating control within 24–48h, hunt for active exploitation, and notify asset owners. Likely a candidate for CISA KEV review.
Base score is intrinsic and does not change once published. Apply temporal (exploit maturity, remediation level) and environmental (your asset exposure, data sensitivity) metrics to get the score that should actually drive your remediation priority.
FAQ
Why CVSS v3.1 and not v4.0?
CVSS v4.0 (released November 2023) is the current published version, but v3.1 remains overwhelmingly dominant in production tooling — NVD entries, vendor advisories, EPSS scoring, and almost every SIEM/EDR ruleset still consume v3.1 vectors. Most CISA KEV entries cite v3.1. We will add a v4.0 toggle as adoption grows, but for now most teams need to emit v3.1 to be compatible with their scanner pipeline and ticketing automation.
How is the base score computed?
The implementation follows the FIRST.org specification document, section 7.1. Impact Sub-Score (ISS) = 1 - ((1-C) * (1-I) * (1-A)). Impact is then 6.42 * ISS for Unchanged scope, or 7.52 * (ISS - 0.029) - 3.25 * (ISS - 0.02)^15 for Changed scope. Exploitability = 8.22 * AV * AC * PR * UI. Base = roundUp(min(Impact + Exploitability, 10)) for Unchanged scope, or roundUp(min(1.08 * (Impact + Exploitability), 10)) for Changed. The PR weight depends on the Scope value, per spec section 7.4.
Why does Privileges Required change weight when Scope changes?
Section 7.4 of the v3.1 specification penalises high-privilege requirements more harshly when scope is Unchanged (the attacker's compromise stays within the original security authority) and less harshly when scope is Changed (because the attacker is breaking out into a wider blast radius — privilege within the original authority matters less to the new victim). The numeric weights are: Unchanged PR weights N=0.85, L=0.62, H=0.27; Changed PR weights N=0.85, L=0.68, H=0.50. This calculator updates automatically when you toggle Scope.
What's the difference between base score and the temporal/environmental scores?
Base score is intrinsic to the vulnerability — it does not change once published. Temporal score adjusts for exploit-code maturity, remediation level and report confidence (these change over the lifetime of the CVE). Environmental score adjusts for asset-specific impact (a Critical bug in a non-internet-exposed dev system is not actually critical to you). This tool computes base only, which is what NVD publishes and what auditors expect to see in your report. For temporal and environmental adjustment, FIRST.org has the full calculator at first.org/cvss/calculator/3.1.
Is the rounding identical to the official calculator?
Yes. CVSS specifies its own rounding function, roundUp1 — it is not standard banker's rounding. The spec defines: convert to a 5-decimal integer (input * 100000), if the trailing four digits are zero return as-is, otherwise floor-divide by 10000, increment, divide by 10. This avoids floating-point drift and produces deterministic, identical output across calculators. We implement that exact algorithm.