CVE Tools

CVSS Calculator

Build, score and share a CVSS vector — v2 through v4.0, computed in your browser.

Examples:
Client-side — your vector never leaves this page A CVSS score measures severity, not risk.
Base
Attack VectorAV
Attack ComplexityAC
Privileges RequiredPR
User InteractionUI
ScopeS
ConfidentialityC
IntegrityI
AvailabilityA

Score for your environment

The base score is severity in a vacuum. Pick the asset context and see how the score changes for you — then export the justification.

Pick a context above (or create one) to reveal the base vs environmental comparison.

Profiles live only in this browser. Applying one sets standard environmental metrics on the vector (safe to share) — the profile's name never leaves this device.

6.5
Medium
CVSS:3.1
AV:NAC:LPR:HUI:NS:UC:HI:HA:N

See this score in the wild

Find CVEs with a profile similar to this vector.

Find similar CVEs →

Threat context — EPSS & KEV

A severity number is only half the story. Look up a real CVE to see its exploitation likelihood (EPSS) and whether it is on CISA's Known Exploited Vulnerabilities list.

Only the CVE ID is sent to look this up — your vector stays in your browser.

Advanced tools

Compare two vectors side by side (e.g. a vendor score vs NVD), or translate one between CVSS v3.1 and v4.0. Translation follows the FIRST bridge rules and flags every metric that needs a human decision.

A6.5
B

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open, vendor-neutral standard for rating the severity of software vulnerabilities on a 0.0–10.0 scale. A vulnerability is described by a vector of metrics — how it is exploited and what it impacts — which a formula turns into a numeric score and a qualitative rating. It is maintained by FIRST and is the scoring system used by the NVD and most vulnerability databases.

Severity ratings

RatingCVSS v3.x / v4.0CVSS v2.0
Critical9.0 – 10.0
High7.0 – 8.97.0 – 10.0
Medium4.0 – 6.94.0 – 6.9
Low0.1 – 3.90.0 – 3.9
None0.0

CVSS versions

v2.02007

Three severity bands, no Scope or User Interaction. Still seen on older CVEs.

v3.02015

Adds Scope, Privileges Required, User Interaction and five severity bands.

v3.12019

Clarifies v3.0 — fixes rounding and the environmental impact formula.

v4.02023

Splits vulnerable vs subsequent system impact, adds Attack Requirements and the Threat group.

Frequently asked questions