CVSS 3.1 Calculator

Base and temporal scoring to the exact FIRST v3.1 specification — vector string in, vector string out.

Runs entirely in your browser — nothing is transmitted anywhere.

Base metrics

Temporal metrics (optional)

select all base metrics

How it works

The eight base metrics feed the FIRST v3.1 formulas exactly as published: impact and exploitability sub-scores, the scope-changed adjustments, and the spec's own round-up function (the source of those familiar one-decimal scores). Temporal metrics — exploit maturity, remediation level, report confidence — can only hold or lower the base score. Severity bands follow the spec: 0 None · 0.1–3.9 Low · 4.0–6.9 Medium · 7.0–8.9 High · 9.0–10.0 Critical. Formula detail on the methodology page.

FAQ

Why does my score differ from NVD's for the same CVE?

The formula is deterministic, but the metric choices are analyst judgment — NVD may assess attack vector, privileges, or impact differently than you or the vendor. If your inputs match, the score will match; this calculator implements the FIRST v3.1 specification exactly.

What's the difference between base and temporal scores?

Base reflects the vulnerability's intrinsic severity and doesn't change over time. Temporal adjusts it downward for current reality: is there a working exploit, an official fix, confirmed details? Temporal can only lower or equal the base score, never raise it.

Should I prioritize patching purely by CVSS score?

No — CVSS measures severity, not exploitation likelihood. A 7.8 that's in CISA's KEV catalog (actively exploited) usually deserves attention before a 9.8 that isn't. Use CVSS as one input alongside exploitation evidence and asset exposure.