How to Calculate a CVSS Score
CVSS scoring is one of those things most pentesters do by feel until they get challenged on a score by a client or QSA. Then they realize they have been guessing.
CVSS 3.1 is a formula. Once you understand the inputs, the score follows automatically. Here is how it works.
What CVSS Actually Measures
CVSS (Common Vulnerability Scoring System) measures the characteristics of a vulnerability itself, not its risk in any specific environment. The base score assumes a worst-case scenario: the attacker is motivated, the system is internet-facing, and there are no compensating controls.
That distinction matters because clients often push back on scores. “We have a WAF.” “That system is internal only.” Those are environmental and temporal factors that affect the adjusted score, not the base score. The base score measures the vulnerability, not your client's deployment.
The Base Score Metrics
Eight metrics determine the base score. Each has a fixed set of values.
Attack Vector (AV)
How is the vulnerability exploited? Network (remotely over the internet), Adjacent (local network access required), Local (attacker needs local system access), Physical (requires physical hardware access). Most web vulnerabilities are Network.
Attack Complexity (AC)
Low means the attack can be repeated reliably with no special conditions. High means specific conditions outside the attacker's control are required.
Privileges Required (PR)
None means no authentication. Low means standard user access. High means admin access is required to exploit.
User Interaction (UI)
None means the attacker can exploit without any victim action. Required means a victim must perform an action like clicking a link.
Scope (S)
Unchanged means the vulnerability only impacts the vulnerable component. Changed means exploiting it can affect other components or systems.
Confidentiality Impact (C)
None, Low, or High. High means total loss of confidentiality for the affected component.
Integrity Impact (I)
None, Low, or High. High means total loss of integrity.
Availability Impact (A)
None, Low, or High. High means total loss of availability.
Common Web Vulnerability Scores
To make this concrete, here is how common web findings typically score:
Stored XSS stealing session cookies
AV:N / AC:L / PR:L / UI:N / S:C / C:H / I:L / A:N
Base score: ~8.2
SQL injection with full database read
AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H
Base score: 9.8
IDOR exposing other users' data
AV:N / AC:L / PR:L / UI:N / S:U / C:H / I:N / A:N
Base score: ~6.5
Self-XSS requiring victim to paste code
AV:N / AC:H / PR:N / UI:R / S:C / C:L / I:L / A:N
Base score: ~4.7
Where People Get It Wrong
Confusing Attack Complexity with difficulty to find. AC is about reliability of exploitation, not how hard it was to discover.
Setting Scope to Changed incorrectly. Changed means exploitation can affect systems beyond the vulnerable component's security scope. A bug in a shared library that only affects that library is Unchanged.
Overrating Integrity impact. Low integrity impact means the attacker can modify some data. High means they can modify anything. A note field that accepts JavaScript is not High integrity.
Ignoring User Interaction. A reflected XSS that requires a victim to click a link is UI:Required. That changes the score significantly compared to a stored XSS that fires automatically.
CVSS in Your Reports
Every finding in a professional pentest report needs a CVSS 3.1 base score and the full vector string. Not just the number. The vector string lets clients and QSAs verify your scoring.
Score it consistently. If a client questions a rating, the vector string gives you a defensible, formula-based answer rather than a judgment call.
PentestReportAI calculates CVSS 3.1 scores automatically from your finding inputs and includes the vector string in the report output. It runs locally so your finding details stay on your machine.
Try it free