Base Metrics (v3.1)
Attack Vector (AV)
?
Attack Complexity (AC)
?
Privileges Required (PR)
?
User Interaction (UI)
?
Scope (S)
?
Confidentiality (C)
?
Integrity (I)
?
Availability (A)
?
Temporal & Environmental (advanced)
Base Metrics (v4.0)
Attack Vector (AV)
Attack Complexity (AC)
Attack Requirements (AT)
?
Privileges Required (PR)
User Interaction (UI)
?
Vulnerable System Impact
VC — Confidentiality
VI — Integrity
VA — Availability
Subsequent System Impact
SC — Confidentiality
SI — Integrity
SA — Availability
Live CVE Lookup (via NVD)
Vector String Parser
Paste a CVSS vector string — v3.1 or v4.0 — and we'll break it into plain English plus the score it computes.
Exam Practice Mode CISSP · CEH · Security+ · CRTP scoring drill
A real cybersecurity engineer doesn't memorize the formula — she reads a scenario, picks the metrics, and lands within ±1.0 of the official score. Try these. Each scenario is from a real CVE.
Quick Reference Cheatsheet
Severity bands (same in 3.1 & 4.0)
| None | 0.0 |
| Low | 0.1 – 3.9 |
| Medium | 4.0 – 6.9 |
| High | 7.0 – 8.9 |
| Critical | 9.0 – 10.0 |
v3.1 → v4.0 — what changed
- New metric AT (Attack Requirements) replaces a lot of the "Scope" hand-waving.
- UI is now N/P/A (None / Passive / Active) — Passive ≈ "user just opens a page", Active ≈ "user must click + drag" type interaction.
- Impact split into Vulnerable System (VC/VI/VA) + Subsequent System (SC/SI/SA). Old "Scope" gone.
- Threat metric (Exploit Maturity) is part of base prefix CVSS-B / CVSS-BT / CVSS-BTE.
- Lookup table, not a formula — score comes from a 270-entry MacroVector table maintained by FIRST.org.
Vector prefix to use
| String starts with | Means |
|---|---|
| CVSS:3.1/ | v3.1 base+temporal+env |
| CVSS:4.0/ | v4.0 base only |
| CVSS:4.0/.../E:X | v4.0 with Threat (BT) |
| CVSS:4.0/.../E:X/MAV:.../... | v4.0 with Env (BTE) |
Worked example — Log4Shell (CVE-2021-44228)
v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Score: 10.0 / Critical. Network reachable, no privileges, no user click, scope changed (RCE on JVM crosses sandbox), full CIA loss on the host.
SOC-analyst rules of thumb
- If AV ≠ N (Network), the score caps below ~8.0 unless impact is total.
- UI:R alone usually drops the score by ~1.0 — that's why phishing-required RCEs land in High, not Critical.
- Scope: Changed is the single biggest score bump in 3.1. VM escape, sandbox break, IAM-trust pivots = Changed.
- Apply Environmental metrics BEFORE you triage — a 9.8 on an isolated dev VM rarely warrants Sev-1.
What CVSS is not
- Not a risk score. Risk = score × asset value × likelihood × controls.
- Not a patch-priority. Use EPSS + KEV + exposure window alongside.
- Not a contract-required SLA driver until you say so in writing.