# CVSS vector decoder

> Paste a CVSS v3.1 or v3.0 vector and get the score computed and mapped to a severity, with every metric spelled out. Local and offline; nothing is sent anywhere.

- Tool: https://ronutz.com/en/tools/cvss-vector-decoder
- Family: Security & WAF

---

## What it does

Paste a CVSS v3.1 or v3.0 vector string and the tool computes the score, maps it to a severity band, and spells out what every metric means. It computes the Base score, and the Temporal and Environmental scores too when those metrics are present in the vector. It is pure math and runs offline; nothing is sent anywhere.

## What CVSS is

CVSS, the Common Vulnerability Scoring System from FIRST.org, is the standard way to express how severe a vulnerability is as a single number from 0.0 to 10.0. That number is not assigned by hand; it is computed from a vector string, a compact list of metrics like `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, where each field is one characteristic of the vulnerability. The tool reverses that string back into plain language and runs the official formula on it.

## The Base metrics

The Base score, the part every vector has, is built from metrics in two groups. The exploitability metrics describe how hard the vulnerability is to use: **Attack Vector** (network, adjacent, local, or physical), **Attack Complexity**, **Privileges Required**, and **User Interaction**. The impact metrics describe what happens if it is used: the effect on **Confidentiality**, **Integrity**, and **Availability**. **Scope** sits between them and captures whether exploiting the component can affect resources beyond it. The tool shows each metric's chosen value and its meaning, so a vector stops being an opaque code.

## Score, severity, and the other groups

The computed Base score maps to a qualitative band: None, Low, Medium, High, or Critical. Two optional metric groups refine it when present: **Temporal** metrics adjust for the current state of exploit code and fixes, and **Environmental** metrics re-weight the score for your specific deployment, including your own confidentiality, integrity, and availability requirements. The arithmetic follows the FIRST.org specification exactly, including the specification's own rounding rule, so the number the tool shows matches the official calculator.

## Using it

Paste a v3.0 or v3.1 vector and read the score, the severity band, and the decoded metrics. The calculation is deterministic: the same vector always yields the same score, because it is the published formula and nothing else.

## Standards and references

- [FIRST.org - CVSS v3.1 Specification Document](https://www.first.org/cvss/v3.1/specification-document)
- [FIRST.org - CVSS v3.1 Calculator](https://www.first.org/cvss/calculator/3.1)
- [NVD - CVSS v3.1 Equations](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator/v31/equations)

## Related reading

- [CVSS Severity Bands, and What the Score Does Not Tell You](https://ronutz.com/en/learn/cvss-severity-bands-and-limits.md): The 0 to 10 number maps to five qualitative bands from None to Critical. That mapping is useful for triage, but a CVSS Base score measures severity, not risk. It says nothing about whether a flaw is being exploited, how valuable the asset is, or what controls you have. Treating the base number as a priority queue is the most common way teams misuse CVSS.
- [CVSS Temporal and Environmental Scores](https://ronutz.com/en/learn/cvss-temporal-and-environmental.md): The Base score is only the starting point. Temporal metrics lower it as facts emerge, such as a patch being released, and can only reduce the score. Environmental metrics let an organization re-score the flaw for its own systems by raising or lowering the importance of confidentiality, integrity, and availability and by overriding base metrics. Both are optional but produce a more honest number.
- [CVSS v3.0, v3.1, and v4.0: What Changed](https://ronutz.com/en/learn/cvss-v3-vs-v4.md): This decoder computes CVSS v3.0 and v3.1. The two v3 releases share a formula but differ in rounding and one environmental term, so scores can differ by a tenth. CVSS v4.0, released in 2023, is a larger redesign with new metric groups and no Scope metric, and its vectors are not compatible with v3 tooling. CVSS v2 is retired.
- [How CVSS Scoring Works](https://ronutz.com/en/learn/how-cvss-scoring-works.md): CVSS turns a short vector string into a 0 to 10 severity number using a fixed formula. The Base score is built from two sub-scores: Exploitability (how reachable and easy the flaw is) and Impact (how bad the outcome is). Everything else refines that base. This is arithmetic, not opinion, which is why a calculator can reproduce any published score exactly.
- [Reading a CVSS Vector String](https://ronutz.com/en/learn/cvss-vector-string-format.md): A CVSS vector is a compact, self-describing string: a version prefix followed by slash-separated metric:value pairs. Learning to read it directly, rather than trusting a rendered score, lets you spot transcription errors and understand exactly what a vendor claimed. The Base metrics are mandatory and the rest are optional.
- [The CVSS Base Metrics, Explained](https://ronutz.com/en/learn/cvss-base-metrics-explained.md): The Base score comes from eight metrics in two families. Four exploitability metrics (Attack Vector, Attack Complexity, Privileges Required, User Interaction) describe how hard the attack is, and four impact metrics (Scope, plus Confidentiality, Integrity, Availability) describe the damage. Scope is the subtle one: it is what lets a score exceed the vulnerable component's own boundary.
