PentestReportAI

GUIDE

CVSS 3.1 Scoring Explained for Pentesters

The Common Vulnerability Scoring System (CVSS) is the industry standard for rating vulnerability severity in penetration testing reports. This guide breaks down every metric, teaches you how to calculate accurate scores, and shows common pitfalls to avoid.

1. What is CVSS 3.1?

CVSS (Common Vulnerability Scoring System) version 3.1 is a free, open framework maintained by FIRST.org for communicating the severity of software vulnerabilities. It provides a standardized way to capture the principal characteristics of a vulnerability and produce a numerical score (0.0 to 10.0) reflecting its severity.

Every professional penetration testing report uses CVSS scores to objectively classify findings. It eliminates subjective severity assignments like "this feels critical" and replaces them with reproducible, metric-based ratings that any security professional can verify.

CVSS 3.1 consists of three metric groups: Base (intrinsic vulnerability characteristics), Temporal (characteristics that change over time), and Environmental(characteristics specific to the user's environment). For pentest reports, the Base score is almost always what you report.

2. Severity Levels and Score Ranges

CVSS 3.1 maps numerical scores to qualitative severity levels:

Critical9.0 - 10.0

Exploitation is straightforward and leads to full system compromise. Requires immediate remediation. Examples: unauthenticated RCE, SQL injection extracting all user data.

High7.0 - 8.9

Significant impact but may require specific conditions. Requires urgent remediation. Examples: authenticated RCE, privilege escalation to admin.

Medium4.0 - 6.9

Moderate impact, often requiring user interaction or specific configurations. Should be remediated in next development cycle. Examples: stored XSS, CSRF on non-critical functions.

Low0.1 - 3.9

Limited impact, difficult to exploit. Should be tracked and fixed as resources allow. Examples: information disclosure of non-sensitive data, missing security headers.

None0.0

Informational finding with no direct security impact. Track as a best practice recommendation.

3. Base Metrics Explained

The CVSS 3.1 Base score is calculated from 8 metrics split into two groups:

Exploitability Metrics

Attack Vector (AV)

How the attacker reaches the vulnerable component.

Network (N)Exploitable remotely over the network (most common for web apps)
Adjacent (A)Requires same network segment (e.g., Wi-Fi, Bluetooth)
Local (L)Requires local access to the system
Physical (P)Requires physical access to the device

Attack Complexity (AC)

Conditions beyond the attacker's control that must exist.

Low (L)No special conditions needed — attack works reliably
High (H)Requires specific configuration, timing, or conditions

Privileges Required (PR)

Level of authentication needed before exploitation.

None (N)No authentication needed (unauthenticated attack)
Low (L)Basic user-level authentication required
High (H)Admin or privileged access required

User Interaction (UI)

Whether a user must take action for the attack to succeed.

None (N)No user interaction needed
Required (R)A user must click a link, open a file, etc.

Impact Metrics

Confidentiality Impact (C)

Impact on data confidentiality.

High (H)Total loss — all data disclosed (e.g., SQL injection dumping user table)
Low (L)Limited disclosure — some restricted data exposed
None (N)No confidentiality impact

Integrity Impact (I)

Impact on data integrity.

High (H)Total compromise — attacker can modify any data
Low (L)Limited modification — some data can be changed
None (N)No integrity impact

Availability Impact (A)

Impact on system availability.

High (H)Total denial of service — system completely unavailable
Low (L)Reduced performance or intermittent availability
None (N)No availability impact

There's also a Scope (S) metric: Unchanged (U) if the vulnerability only affects the component it's in, or Changed (C) if it can affect resources beyond its security scope (e.g., a VM escape affecting the host).

4. Understanding the Vector String

The CVSS vector string is a compact text representation of all metric values. It follows this format:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AV:N = Attack Vector: Network

AC:L = Attack Complexity: Low

PR:N = Privileges Required: None

UI:N = User Interaction: None

S:U = Scope: Unchanged

C:H = Confidentiality: High

I:H = Integrity: High

A:H = Availability: High

Score: 9.8 (Critical)

This vector represents the worst case: a remotely exploitable vulnerability requiring no authentication or user interaction, with full impact on confidentiality, integrity, and availability. This is typical for unauthenticated remote code execution (RCE) vulnerabilities.

5. Real-World Scoring Examples

Unauthenticated SQL Injection in Login Form

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Score: 9.1 (Critical)

Network-accessible, no auth needed, no user interaction, full data access and modification possible.

Stored XSS in User Profile Bio

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Score: 5.4 (Medium)

Requires low-privilege account to inject, victim must visit the page. Scope changed because it affects other users' browsers.

IDOR Accessing Other Users' Invoices

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Score: 6.5 (Medium)

Requires authentication, no user interaction, but only impacts confidentiality (read-only access).

Missing X-Frame-Options Header

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Score: 3.1 (Low)

Clickjacking requires high complexity (specific page must be frameable + social engineering), user interaction, low integrity impact.

6. Common Scoring Mistakes

xInflating scores to make findings look worse — use the metrics honestly
xConfusing Attack Complexity with exploitation difficulty — AC is about conditions, not skill
xAlways setting Scope to Unchanged — consider if the vulnerability crosses trust boundaries
xMixing up Privileges Required with authentication — PR:L means any authenticated user, not admin
xIgnoring User Interaction — if the user must click something, set UI:R
xSetting all Impact metrics to High by default — consider actual data exposure
xNot including the vector string — always show your work, not just the final score

7. Automating CVSS Scoring with AI

Manually calculating CVSS scores for every finding is tedious and inconsistent. PentestReportAI uses AI to automatically analyze each vulnerability's context and assign accurate CVSS 3.1 vectors and scores, complete with severity classification.

AI reads your raw finding description and evidence
Automatically determines each CVSS metric based on vulnerability context
Generates the full CVSS:3.1 vector string
Calculates the numerical score and assigns severity (Critical/High/Medium/Low)
Built-in CVSS calculator for manual adjustments if needed

Stop Guessing CVSS Scores

Let AI calculate accurate CVSS 3.1 scores for your pentest findings automatically.

Get StartedFree Templates