CVSS Calculator
Build, score and share a CVSS vector — v2 through v4.0, computed in your browser.
Score for your environment
The base score is severity in a vacuum. Pick the asset context and see how the score changes for you — then export the justification.
Switch to CVSS v3.0, v3.1 or v4.0 to score for an environment.
See this score in the wild
Find CVEs with a profile similar to this vector.
Threat context — EPSS & KEV
A severity number is only half the story. Look up a real CVE to see its exploitation likelihood (EPSS) and whether it is on CISA's Known Exploited Vulnerabilities list.
Only the CVE ID is sent to look this up — your vector stays in your browser.
Advanced tools
Compare two vectors side by side (e.g. a vendor score vs NVD), or translate one between CVSS v3.1 and v4.0. Translation follows the FIRST bridge rules and flags every metric that needs a human decision.
What is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open, vendor-neutral standard for rating the severity of software vulnerabilities on a 0.0–10.0 scale. A vulnerability is described by a vector of metrics — how it is exploited and what it impacts — which a formula turns into a numeric score and a qualitative rating. It is maintained by FIRST and is the scoring system used by the NVD and most vulnerability databases.
Severity ratings
| Rating | CVSS v3.x / v4.0 | CVSS v2.0 |
|---|---|---|
| Critical | 9.0 – 10.0 | — |
| High | 7.0 – 8.9 | 7.0 – 10.0 |
| Medium | 4.0 – 6.9 | 4.0 – 6.9 |
| Low | 0.1 – 3.9 | 0.0 – 3.9 |
| None | 0.0 | — |
CVSS versions
Three severity bands, no Scope or User Interaction. Still seen on older CVEs.
Adds Scope, Privileges Required, User Interaction and five severity bands.
Clarifies v3.0 — fixes rounding and the environmental impact formula.
Splits vulnerable vs subsequent system impact, adds Attack Requirements and the Threat group.