How is the CVSS v3.1 base score calculated?

The base score combines an Exploitability sub-score (Attack Vector, Complexity, Privileges Required, User Interaction) with an Impact sub-score derived from the Confidentiality, Integrity, and Availability metrics. The Scope metric changes the Impact formula and adds a 1.08 multiplier when set to Changed, and the result is rounded up to one decimal.

What do the severity labels mean?

CVSS v3.1 maps scores to bands: 0.0 is None, 0.1 to 3.9 is Low, 4.0 to 6.9 is Medium, 7.0 to 8.9 is High, and 9.0 to 10.0 is Critical. These bands are the qualitative ratings most organisations use to prioritise patching.

What is the Scope metric?

Scope captures whether an exploited vulnerability can affect resources beyond its own security authority. Scope Changed means the impact crosses a trust boundary (for example a sandbox escape), which raises the score because the blast radius is larger than the vulnerable component itself.

Does this include temporal and environmental scores?

No, this calculator computes the CVSS v3.1 Base score only, which is the value published in the National Vulnerability Database. Temporal metrics (exploit maturity, remediation) and Environmental metrics (your specific deployment) refine the base score but require organisation-specific inputs.

Is the calculation done in my browser?

Yes. The full CVSS v3.1 formula runs entirely client-side in JavaScript, so no metrics or vector strings are sent anywhere. The output matches the official FIRST calculator to one decimal place.

CVE CVSS v3.1 Severity Calculator

CVSS v3.1 is the standard the National Vulnerability Database and most security teams use to rate how dangerous a vulnerability is. This calculator implements the complete official base-score formula locally, so you can triage a CVE, double-check a vendor’s rating, or build a vector string without opening an online calculator.

How it works

The base score is built from two sub-scores. The Impact Sub-Score (ISS) combines the three impact metrics:

ISS = 1 - (1 - C) * (1 - I) * (1 - A)

The Impact value then depends on Scope:

Scope Unchanged:  Impact = 6.42 * ISS
Scope Changed:    Impact = 7.52 * (ISS - 0.029) - 3.25 * (ISS - 0.02)^15

Exploitability uses the four exploitability metrics:

Exploitability = 8.22 * AV * AC * PR * UI

Finally the base score is:

If Impact <= 0:    BaseScore = 0
Scope Unchanged:   BaseScore = Roundup(min(Impact + Exploitability, 10))
Scope Changed:     BaseScore = Roundup(min(1.08 * (Impact + Exploitability), 10))

The Roundup function returns the smallest one-decimal number greater than or equal to the input, which is why scores sometimes look slightly higher than a naive round. Privileges Required uses a higher weight when Scope is Changed.

Worked example

A classic remote unauthenticated remote code execution: AV:N (Network), AC:L, PR:N, UI:N, S:U, and C:H/I:H/A:H yields a base score of 9.8 (Critical) — the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. A reflected XSS that needs a victim click and crosses a trust boundary (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) scores 6.1 (Medium).

Notes and tips

Base score is intentionally context-free. A 9.8 on an internet-facing server is far more urgent than the same 9.8 on an isolated lab box — layer Environmental metrics or your own risk model on top for real prioritisation.
The vector string is the portable record. Store it alongside the CVE so anyone can re-derive the score and audit the metric choices.
Disagreements with a vendor’s score almost always come down to Scope or Privileges Required — re-read those two definitions before escalating.