Simplicalcs

    CVSS calculator

    Advertisement
    Attack Vector
    How far away can an attacker be to exploit this? Network = remotely over the internet. Adjacent = must be on the same network. Local = must be logged in. Physical = must physically touch the device.
    Attack Complexity
    Are there special conditions required? Low = anyone can exploit it reliably. High = requires specific configuration, race condition, or additional preparation.
    Privileges Required
    Does the attacker need an account first? None = no account needed. Low = needs a basic user account. High = needs admin or root.
    User Interaction
    Does someone have to click a link or open a file for the attack to work? None = attacker acts alone. Required = needs a victim to take an action.
    Scope
    Does exploiting this vulnerability let the attacker affect other systems or components? Unchanged = impact stays within the vulnerable component. Changed = the attacker can affect something beyond it โ€” like escaping a sandbox.
    Confidentiality Impact
    Can an attacker read data they shouldn't? None = no data exposed. Low = some data exposed, limited impact. High = all or critical data can be read.
    Integrity Impact
    Can an attacker modify data? None = no modification possible. Low = some modification, limited impact. High = critical data can be changed or deleted.
    Availability Impact
    Can an attacker take the system down or make it unusable? None = no availability impact. Low = reduced performance. High = complete loss of availability.

    Select all metrics above to calculate your score.

    Advertisement

    The Common Vulnerability Scoring System (CVSS) is the industry standard for communicating the severity of a security vulnerability โ€” you'll see CVSS scores on CVE advisories, scanner reports, and patch notes everywhere. The Base Score here covers the intrinsic properties of a vulnerability: how it can be exploited and what the impact would be. The vector string it generates can be pasted directly into a vulnerability report, a ticket, or a risk register. Temporal and Environmental modifiers are not included โ€” this tool scores the intrinsic severity of the vulnerability itself.