CVE Tools

CVSS Calculator

Build, score and share a CVSS vector — v2 through v4.0, computed in your browser.

Examples:
Client-side — your vector never leaves this page A CVSS score measures severity, not risk.
Base
Access VectorAV
Access ComplexityAC
AuthenticationAu
Confidentiality ImpactC
Integrity ImpactI
Availability ImpactA

Score for your environment

The base score is severity in a vacuum. Pick the asset context and see how the score changes for you — then export the justification.

Switch to CVSS v3.0, v3.1 or v4.0 to score for an environment.

0.0
Low
CVSS:2.0
AV:LAC:LPR:NUI:RS:UC:LI:NA:N

See this score in the wild

Find CVEs with a profile similar to this vector.

Find similar CVEs →

Threat context — EPSS & KEV

A severity number is only half the story. Look up a real CVE to see its exploitation likelihood (EPSS) and whether it is on CISA's Known Exploited Vulnerabilities list.

Only the CVE ID is sent to look this up — your vector stays in your browser.

Advanced tools

Compare two vectors side by side (e.g. a vendor score vs NVD), or translate one between CVSS v3.1 and v4.0. Translation follows the FIRST bridge rules and flags every metric that needs a human decision.

A0.0
B

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open, vendor-neutral standard for rating the severity of software vulnerabilities on a 0.0–10.0 scale. A vulnerability is described by a vector of metrics — how it is exploited and what it impacts — which a formula turns into a numeric score and a qualitative rating. It is maintained by FIRST and is the scoring system used by the NVD and most vulnerability databases.

Severity ratings

RatingCVSS v3.x / v4.0CVSS v2.0
Critical9.0 – 10.0
High7.0 – 8.97.0 – 10.0
Medium4.0 – 6.94.0 – 6.9
Low0.1 – 3.90.0 – 3.9
None0.0

CVSS versions

v2.02007

Three severity bands, no Scope or User Interaction. Still seen on older CVEs.

v3.02015

Adds Scope, Privileges Required, User Interaction and five severity bands.

v3.12019

Clarifies v3.0 — fixes rounding and the environmental impact formula.

v4.02023

Splits vulnerable vs subsequent system impact, adds Attack Requirements and the Threat group.

Frequently asked questions