Vulnerability Risk Score Calculator (CVSS-based)
Calculate the CVSS v3.1 Base Score for a vulnerability by selecting the appropriate metric values. The score ranges from 0.0 (None) to 10.0 (Critical) and reflects the intrinsic characteristics of a vulnerability.
Impact Metrics
Formula — CVSS v3.1 Base Score
Step 1 — Exploitability:
Exploitability = 8.22 × AV × AC × PR × UI
Step 2 — Impact Sub-Score Base:
ISCBase = 1 − (1 − C) × (1 − I) × (1 − A)
Step 3 — Impact Sub-Score (ISC):
If Scope = Unchanged: ISC = 6.42 × ISCBase
If Scope = Changed: ISC = 7.52 × (ISCBase − 0.029) − 3.25 × (ISCBase − 0.02)¹⁵
Step 4 — Base Score:
If ISC ≤ 0: Base Score = 0.0
If Scope = Unchanged: Base Score = Roundup(min(ISC + Exploitability, 10))
If Scope = Changed: Base Score = Roundup(min(1.08 × (ISC + Exploitability), 10))
Roundup rounds up to the nearest 0.1 (ceiling at one decimal place).
Severity Ratings: None (0.0) | Low (0.1–3.9) | Medium (4.0–6.9) | High (7.0–8.9) | Critical (9.0–10.0)
Privileges Required (PR) — Scope-adjusted values:
None: 0.85 (any scope) | Low: 0.62 (Unchanged), 0.50 (Changed) | High: 0.27 (Unchanged), 0.50 (Changed)
Assumptions & References
- Implements CVSS v3.1 Base Score specification exactly as published by FIRST.
- Only Base Score metrics are included; Temporal and Environmental metrics are out of scope.
- The Roundup function uses ceiling to one decimal place per the CVSS v3.1 specification.
- PR values are scope-adjusted: when Scope = Changed, Low and High PR values increase to 0.50.
- If all impact metrics are None (ISCBase = 0), the Base Score is 0.0 regardless of exploitability.
- Reference: CVSS v3.1 Specification Document, FIRST.Org, Inc. (https://www.first.org/cvss/v3.1/specification-document)
- Reference: NVD CVSS Calculator — National Vulnerability Database (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
- This calculator does not store or transmit any data; all computation is performed client-side.