CVSS Library

3.6 · active · verified Sat Apr 11

The `cvss` library provides a Python implementation for calculating and parsing Common Vulnerability Scoring System (CVSS) scores for versions 2, 3, and 4. It enables users to convert CVSS vectors into human-readable scores and provides programmatic access to individual metric values. The current version is 3.6, and it sees active maintenance with several releases per year addressing bug fixes and new CVSS specification versions.

Warnings

breaking Python 2.7 support was officially removed in version 3.5. Users running on Python 2.x will need to upgrade to Python 3.7+.
Fix: Upgrade your Python environment to 3.7 or newer. If you must use Python 2.7, use an older version of the `cvss` library (e.g., <3.5), but note it will not support CVSS v4.0.
breaking Starting with version 3.5, the library officially requires Python 3.7 or newer.
Fix: Ensure your Python environment is version 3.7 or higher.
gotcha When parsing CVSS vectors, you must use the correct class (`CVSS2`, `CVSS3`, or `CVSS4`) corresponding to the vector's version. Attempting to parse a CVSS v3 vector with `CVSS2` will result in errors or incorrect parsing.
Fix: Inspect the CVSS vector string (e.g., 'CVSS:3.1/' indicates v3.1, 'CVSS:4.0/' indicates v4.0) and instantiate the appropriate class (e.g., `CVSS3(...)` or `CVSS4(...)`).
gotcha Early versions of CVSS v4.0 implementation in the library (v3.0, v3.1) had rounding issues for base scores that did not match the official specification. This was fixed in v3.2.
Fix: Ensure you are using `cvss` library version 3.2 or newer when calculating CVSS v4.0 scores for accurate rounding.
gotcha The `CVSS3.as_json()` method has a `minimal` parameter, which if set to `True`, will output a JSON representation containing only the metrics that the CVSS3 object was initiated with, rather than all possible metrics.
Fix: Be aware of the `minimal` parameter's effect when generating JSON output, especially if you expect a full representation of all metrics regardless of input.

Install

pip install cvss Install latest version

Imports

CVSS2
```
from cvss import CVSS2
```
CVSS3
```
from cvss import CVSS3
```
CVSS4
```
from cvss import CVSS4
```

Quickstart

Initialize CVSS objects with a vector string and retrieve base scores and individual metrics.

from cvss import CVSS3, CVSS4

# Example CVSS v3.1 vector
cvss3_vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
cvss3_obj = CVSS3(cvss3_vector)
print(f"CVSS v3 Base Score: {cvss3_obj.base_score}")
print(f"CVSS v3 Vector: {cvss3_obj.vector}")

# Example CVSS v4.0 vector
cvss4_vector = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
cvss4_obj = CVSS4(cvss4_vector)
print(f"CVSS v4 Base Score: {cvss4_obj.base_score}")
print(f"CVSS v4 Vector: {cvss4_obj.vector}")

view raw JSON →