What are the CVSS 3.1 vector string fields?

The CVSS 3.1 vector string contains 8 fields: Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), Scope (S), Confidentiality Impact (C), Integrity Impact (I), and Availability Impact (A). These are grouped into Exploitability Metrics (AV, AC, PR, UI, S) and Impact Metrics (C, I, A). The vector string format is CVSS:3.1/AV:x/AC:x/PR:x/UI:x/S:x/C:x/I:x/A:x where each x is replaced with the metric value.

What is the CVSS 3.1 severity rating scale?

The CVSS 3.1 severity rating scale maps numerical scores to labels: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). These severity labels are used in penetration testing reports, vulnerability management programmes, and remediation SLAs to prioritise fixes.

How is the CVSS 3.1 base score calculated?

The CVSS 3.1 base score is calculated from two metric groups: Exploitability (Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope) and Impact (Confidentiality, Integrity, Availability). The formula combines an Impact Sub Score and an Exploitability Sub Score, with the Scope metric determining which formula variant is used. The result is a score from 0.0 to 10.0.

What does the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L mean?

This vector scores 9.0 (Critical). It describes a network-accessible vulnerability (AV:N) with low attack complexity (AC:L) that requires low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning it crosses security boundaries. It has high confidentiality and integrity impact (C:H, I:H) with low availability impact (A:L). This pattern is typical for stored XSS or CSRF attacks that compromise admin sessions.

How is CVSS used in vulnerability management?

In vulnerability management, CVSS scores drive remediation SLAs and prioritisation. Critical findings (9.0-10.0) typically require fixes within 7 days, High (7.0-8.9) within 30 days, Medium (4.0-6.9) within 90 days, and Low (0.1-3.9) in the next release cycle. The vector string makes these thresholds defensible because anyone can verify exactly how a finding was scored. Consistent CVSS scoring across manual pentest findings and automated scanner results is essential for reliable prioritisation.

← Back to Blog

Technical26 March 202614 min read

CVSS 3.1 Vector String Fields, Base Score & Severity Rating Scale Explained

The Common Vulnerability Scoring System (CVSS) 3.1 provides a standardised way to rate the severity of security vulnerabilities using a vector string that encodes every scoring decision. This guide breaks down all CVSS 3.1 vector string fields (AV, AC, PR, UI, S, C, I, A), explains how the base score is calculated, walks through the severity rating scale, and shows how CVSS scoring fits into vulnerability management workflows.

Whether you need to understand what a specific CVSS vector string means, calculate a base score for a pentest finding, or apply CVSS scoring consistently across your security team, this guide covers it with real-world examples and common mistakes to avoid.

What is CVSS?

CVSS is an open standard maintained by FIRST (Forum of Incident Response and Security Teams). Version 3.1 is the most widely used in penetration testing reports, and understanding it thoroughly is essential for any security professional producing client-facing deliverables. It produces a numerical score from 0.0 to 10.0 based on the characteristics of a vulnerability, along with a vector string that makes the rating transparent and reproducible. The vector string is the key differentiator from ad-hoc severity ratings because it allows anyone to understand exactly how the score was derived and challenge individual metric choices if they disagree.

The score maps to severity labels: Info (0.0), Low (0.1 to 3.9), Medium (4.0 to 6.9), High (7.0 to 8.9), and Critical (9.0 to 10.0).

CVSS consists of three metric groups: Base, Temporal, and Environmental. The base score is the most commonly used in pentest reports because it captures the intrinsic characteristics of a vulnerability independent of time or environment. Temporal and environmental scores allow organisations to adjust the base score based on factors like exploit maturity, remediation level, and the importance of the affected asset within their specific infrastructure.

CVSS 3.1 Vector String Fields and Base Score Metrics

The CVSS 3.1 vector string encodes every scoring decision as a series of metric:value pairs. For example, the string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N tells you exactly how each field was scored. Understanding these vector string fields is essential for both calculating scores and interpreting scores from other sources like NVD or scanner output.

The base score captures the intrinsic characteristics of a vulnerability. It consists of two metric groups, and together these fields determine the CVSS 3.1 base score on the 0.0 to 10.0 severity rating scale:

Exploitability Metrics

Attack Vector (AV)

How the attacker reaches the vulnerable component. Network (remotely exploitable), Adjacent (requires local network access), Local (requires local system access), or Physical (requires physical access to the device).

Attack Complexity (AC)

Conditions beyond the attacker's control that must exist. Low means the attack works reliably without special conditions. High means the attacker needs to invest effort in preparation or requires specific circumstances.

Privileges Required (PR)

The level of access the attacker needs before exploitation. None (no authentication needed), Low (basic user account), or High (administrative privileges).

User Interaction (UI)

Whether exploitation requires a victim to take some action. None (fully automated) or Required (victim must click a link, open a file, etc.).

Scope (S)

Whether the vulnerability impacts resources beyond the vulnerable component. Unchanged means the impact stays within the same security authority. Changed means it affects resources managed by a different authority (e.g., a web application vulnerability that compromises the host OS).

Impact Metrics

Confidentiality (C)

Impact on data confidentiality. None (no disclosure), Low (some restricted data exposed), or High (all data in the component disclosed).

Integrity (I)

Impact on data integrity. None (no modification possible), Low (some data can be modified), or High (all data can be modified or deleted).

Availability (A)

Impact on system availability. None (no disruption), Low (degraded performance), or High (complete denial of service).

Temporal and Environmental Scores

While base scores are the standard in most penetration testing reports, understanding temporal and environmental metrics gives you the tools to provide more nuanced severity assessments when clients request them.

Temporal Metrics

Temporal metrics adjust the base score based on factors that change over time. Exploit Code Maturity (E) reflects whether a public exploit exists (Unproven, Proof-of-Concept, Functional, or High). Remediation Level (RL) indicates whether an official fix is available (Official Fix, Temporary Fix, Workaround, or Unavailable). Report Confidence (RC) captures how confident the source is in the vulnerability details (Unknown, Reasonable, or Confirmed). A vulnerability with a functional public exploit scores higher temporally than one with no known exploit code.

Environmental Metrics

Environmental metrics let organisations adjust scores based on their specific infrastructure. They include modified versions of all base metrics (allowing you to override base values) plus three additional metrics: Confidentiality Requirement (CR), Integrity Requirement (IR), and Availability Requirement (AR). These are set to Low, Medium, or High based on the business criticality of the affected system. A SQL injection on a payment processing server (High CR, High IR) scores significantly higher than the same vulnerability on an internal wiki (Low CR, Low IR).

In practice, most pentest reports use base scores exclusively because temporal and environmental factors require client-specific context that the tester may not have. However, offering environmental scoring adjustments as part of your service adds value and demonstrates a deeper understanding of risk versus raw severity.

Real-World Examples

The best way to understand CVSS scoring is to work through real examples. Each example below shows the vulnerability, the vector string, the resulting score, and an explanation of why each metric was selected. Use these as a reference when scoring your own findings.

SQL Injection (Unauthenticated)

An unauthenticated SQL injection that allows reading the entire database.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Score: 9.1 (Critical)

Network-accessible, low complexity, no privileges or user interaction needed. High confidentiality and integrity impact since the attacker can read and modify database records.

Stored XSS in User Profile

A stored cross-site scripting vulnerability in a user profile field that executes when other users view the profile.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Score: 5.4 (Medium)

Requires a low-privilege account to inject the payload. Requires user interaction (victim viewing the profile). Scope is changed because the script executes in the victim's browser context.

Missing Security Headers

The application does not set X-Frame-Options or Content-Security-Policy headers.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Score: 3.1 (Low)

High complexity because successful exploitation (clickjacking) requires a specific scenario. Low integrity impact. No direct confidentiality or availability impact.

CVSS 3.1 Vector String Lookup: Decoding Common Vectors

Security teams frequently need to decode CVSS vector strings from scanner output, NVD entries, or pentest reports. Here are some commonly searched vectors with their breakdowns:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Score: 9.0 (Critical)

Network-accessible (AV:N), low complexity (AC:L), requires low privileges (PR:L) and user interaction (UI:R). Scope is changed (S:C), meaning it crosses trust boundaries. High confidentiality and integrity impact (C:H, I:H) with low availability impact (A:L). This vector is typical for stored XSS or CSRF vulnerabilities that can compromise admin sessions and modify data across security boundaries.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Score: 9.3 (Critical)

Similar to the above but requires no privileges (PR:N) instead of low privileges. This raises the score because any unauthenticated attacker can exploit it. Common for reflected XSS in authentication flows or open redirect chains that lead to account takeover. The changed scope (S:C) indicates the exploit impacts a different security context than the vulnerable component.

CVSS 3.1 Scoring in Vulnerability Management

Beyond individual findings in pentest reports, CVSS 3.1 vector string fields play a central role in vulnerability management programmes. The severity rating scale provides a consistent language for prioritising remediation across teams, tracking risk reduction over time, and reporting security posture to leadership.

In a vulnerability management workflow, CVSS scores drive remediation SLAs: critical findings (9.0-10.0) might require a fix within 7 days, high findings (7.0-8.9) within 30 days, medium (4.0-6.9) within 90 days, and low (0.1-3.9) within the next release cycle. The vector string fields make these thresholds defensible because anyone can verify exactly why a finding received its score.

Effective vulnerability management requires consistent CVSS scoring across all sources: manual pentest findings, automated scanner results, and imported vulnerabilities from tools like Nessus or Burp Suite. When scores come from different sources with different interpretations, remediation priorities become unreliable. This is why centralising findings in a single platform with a built-in CVSS calculator matters for teams managing vulnerabilities at scale.

CVSS in Your Reports

When including CVSS scores in your pentest reports, always show the full vector string alongside the numerical score and severity label. The vector string is what makes CVSS transparent and defensible. If a client questions why a finding is rated High, you can walk them through each metric component and explain the reasoning. Without the vector, a score is just a number.

Structure your findings consistently: title, severity label, CVSS score, vector string, description, evidence, and remediation. This format makes it easy for developers to scan findings and prioritise fixes. For a complete template, see our security assessment report template.

Consider including a severity breakdown table at the beginning of your report showing the total count of findings at each level. This gives executives a snapshot without reading every finding. Many clients use this table directly in their board presentations and risk committee updates, so accuracy and consistency matter.

Common Scoring Mistakes

Inflating scores to impress clients. Over-scoring erodes trust. If a client disputes a score and you cannot justify it with the vector string, your credibility suffers. Always be prepared to explain every metric choice in the vector.
Ignoring Scope changes. The Scope metric significantly impacts the score. A vulnerability that only affects the local component (Unchanged) scores lower than one that crosses trust boundaries (Changed). This is one of the most commonly misunderstood metrics because testers default to Unchanged when unsure.
Confusing Attack Complexity with effort. AC:High does not mean "hard to find". It means exploitation depends on conditions the attacker cannot control (e.g., race conditions, specific configurations). The effort to discover a vulnerability is not a CVSS factor.
Using CVSS for risk ranking alone. CVSS measures technical severity, not business risk. A critical finding on a test server may be lower risk than a medium finding on the payment processing system. Communicate this distinction to clients so they can apply business context to their remediation priorities.
Inconsistent scoring across team members. When multiple testers contribute to a report, scoring inconsistencies undermine credibility. Establish a scoring guide for your team and conduct peer reviews on all CVSS vectors before report delivery.

CVSS 3.1 vs CVSS 4.0

FIRST released CVSS 4.0 in November 2023, introducing additional granularity with new metrics like Attack Requirements and changes to how the Scope concept works, replacing it with Subsequent System impact metrics. CVSS 4.0 also adds a supplemental metric group covering safety, automatable, recovery, value density, and provider urgency attributes.

However, CVSS 3.1 remains the dominant version in penetration testing reports as of 2026. Most compliance frameworks, vulnerability databases including NVD, and client expectations are still built around 3.1 thresholds. When clients request CVSS scoring, they almost always mean 3.1 unless explicitly stated otherwise.

If you are considering adopting CVSS 4.0, do so incrementally. You might include both scores for a transition period. Discuss the change with your clients first, as they may have internal processes or remediation SLAs built around 3.1 severity thresholds that would need updating.

Automating CVSS Calculation

Manual CVSS calculation is error-prone, especially under time pressure at the end of an engagement. Selecting the wrong value for a single metric can shift a score by two or more points, potentially changing the severity label and misrepresenting the finding's impact to the client.

SecPortal includes a built-in CVSS 3.1 calculator that auto-calculates scores as you select vector components. The score, severity label, and full vector string are automatically assigned to each finding, ensuring consistency across your reports and across your team. With 300+ pre-built finding templates that come with default CVSS vectors, you can log common vulnerabilities in seconds and adjust the vector for the specific context.

When combined with categorisation frameworks like the OWASP Top 10, CVSS scores provide a complete picture of each finding's severity and classification. SecPortal also imports findings from scanners like Nessus and Burp Suite with their original CVSS scores, so all your findings (manual and automated) use the same scoring baseline. To learn how to streamline the entire finding lifecycle from discovery to remediation, see our guide on automating security findings management.

Stop calculating CVSS scores by hand

SecPortal's built-in CVSS 3.1 calculator auto-scores findings as you select vector components. 300+ finding templates, AI-powered report generation, and remediation tracking keep your vulnerability management workflow consistent from discovery to client delivery.

Start Your Free Trial See Findings Management

Free tier available. No credit card required.