What are the CVSS v3.1 severity ranges?

None is exactly 0.0, Low is 0.1 to 3.9, Medium is 4.0 to 6.9, High is 7.0 to 8.9 and Critical is 9.0 to 10.0. These qualitative bands let teams prioritise without reading the raw score.

How is a CVSS base score calculated?

It combines an Exploitability sub-score (Attack Vector, Attack Complexity, Privileges Required, User Interaction) with an Impact sub-score (Confidentiality, Integrity, Availability), adjusted by Scope. The result is rounded up to one decimal place.

What does Scope mean in CVSS?

Scope captures whether a vulnerability in one component can affect resources beyond its security authority. A Changed scope (for example, a sandbox escape) generally raises the score because the impact spills over to other components.

Are Temporal and Environmental metrics included here?

This reference focuses on the Base metrics and severity bands. Temporal metrics adjust for exploit maturity and available fixes, and Environmental metrics tailor the score to your deployment; both can only lower or refine the Base score.

Does this tool compute a vector string?

No. It maps a numeric base score to its rating band. To build a full vector and compute a score from individual metrics, use the official FIRST.org CVSS calculator.

CVSS Score Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Reading CVSS severity at a glance

CVSS (Common Vulnerability Scoring System) v3.1 produces a numeric base score from 0.0 to 10.0 that captures the intrinsic severity of a vulnerability. To make prioritisation easy, scores map to five qualitative ratings. This reference lists those bands and the eight base metrics, and includes a classifier that returns the rating for any score you enter.

How it works

The base score is computed from two sub-scores. Exploitability is built from Attack Vector, Attack Complexity, Privileges Required and User Interaction; Impact is built from Confidentiality, Integrity and Availability. The Scope metric decides how those combine. The final value is rounded up to one decimal place, then placed in a band:

0.0        None
0.1 – 3.9  Low
4.0 – 6.9  Medium
7.0 – 8.9  High
9.0 – 10.0 Critical

Because rounding is always upward, a raw value such as 8.81 becomes 8.9 and stays High, while 8.91 becomes 9.0 and crosses into Critical.

Tips and notes

A score of exactly 0.0 is the only value rated None — it is informational.
Critical (9.0+) findings usually warrant emergency patching outside normal cycles.
The Base score is constant; Temporal and Environmental metrics refine it per context.
Build full vector strings with the official FIRST.org CVSS v3.1 calculator.