API Reference

The CVSS Guru REST API lets you calculate and convert CVSS scores programmatically. All endpoints accept and return JSON. No authentication required.

No authentication required

JSON request & response

CVSS v2.0 · v3.0 · v3.1 · v4.0

Base URL

BASE https://cvss.guru/api/v1

All endpoints below are relative to this base URL. Use Content-Type: application/json for all POST requests.

Error Handling

Errors return a standard JSON object with an error field and an appropriate HTTP status code.

400

Invalid metric value or calculation error

404

CVE not found in NVD

422

Missing required field or invalid format

// Error response shape
{
  "error": "Invalid metric value for AV. Expected one of: N, A, L, P"
}

POST /api/v1/calculate/2.0

Calculate a CVSS v2.0 Base (and optionally Temporal / Environmental) score.

Request Body

Field	Values	Description
AVreq	L · A · N	Attack Vector
ACreq	H · M · L	Attack Complexity
Aureq	M · S · N	Authentication
Creq	N · P · C	Confidentiality Impact
Ireq	N · P · C	Integrity Impact
Areq	N · P · C	Availability Impact
Eopt	U · POC · F · H · ND	Exploitability (default ND)
RLopt	OF · TF · W · U · ND	Remediation Level (default ND)
RCopt	UC · UR · C · ND	Report Confidence (default ND)

Example

curl -X POST https://cvss.guru/api/v1/calculate/2.0 \
  -H "Content-Type: application/json" \
  -d '{
    "AV": "N", "AC": "L", "Au": "N",
    "C": "C", "I": "C", "A": "C"
  }'

Response

{
  "version": "2.0",
  "vector":  "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "scores": {
    "base":          { "score": 10.0, "severity": "High" },
    "temporal":      null,
    "environmental": null
  },
  "metrics": { "AV": "N", "AC": "L", ... }
}

POST /api/v1/calculate/3.0

Calculate a CVSS v3.0 score. Same schema as v3.1 — use /3.1 for newer CVEs.

Field	Values	Description
AVreq	N · A · L · P	Attack Vector
ACreq	L · H	Attack Complexity
PRreq	N · L · H	Privileges Required
UIreq	N · R	User Interaction
Sreq	U · C	Scope
Creq	N · L · H	Confidentiality Impact
Ireq	N · L · H	Integrity Impact
Areq	N · L · H	Availability Impact
E · RL · RCopt	X · …	Temporal metrics (default X)
CR · IR · AR · M*opt	X · …	Environmental metrics (default X)

curl -X POST https://cvss.guru/api/v1/calculate/3.0 \
  -H "Content-Type: application/json" \
  -d '{
    "AV": "N", "AC": "L", "PR": "N",
    "UI": "N", "S": "U",
    "C": "H", "I": "H", "A": "H"
  }'

POST /api/v1/calculate/3.1

Calculate a CVSS v3.1 score. Identical schema to v3.0.

curl -X POST https://cvss.guru/api/v1/calculate/3.1 \
  -H "Content-Type: application/json" \
  -d '{
    "AV": "N", "AC": "L", "PR": "N",
    "UI": "N", "S": "C",
    "C": "H", "I": "H", "A": "H"
  }'

// Response
{
  "version": "3.1",
  "vector":  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
  "scores": {
    "base": { "score": 10.0, "severity": "Critical" },
    "temporal": null, "environmental": null
  },
  "metrics": { "AV": "N", ... }
}

POST /api/v1/calculate/4.0

Calculate a CVSS v4.0 score. v4.0 splits impact into Vulnerable System and Subsequent System components.

Field	Values	Description
AVreq	N · A · L · P	Attack Vector
ACreq	L · H	Attack Complexity
ATreq	N · P	Attack Requirements
PRreq	N · L · H	Privileges Required
UIreq	N · P · A	User Interaction
VC · VI · VAreq	N · L · H	Vulnerable System C/I/A
SC · SI · SAopt	N · L · H	Subsequent System C/I/A
Eopt	X · A · P · U	Exploit Maturity (default X)

curl -X POST https://cvss.guru/api/v1/calculate/4.0 \
  -H "Content-Type: application/json" \
  -d '{
    "AV": "N", "AC": "L", "AT": "N",
    "PR": "N", "UI": "N",
    "VC": "H", "VI": "H", "VA": "H",
    "SC": "N", "SI": "N", "SA": "N"
  }'

POST /api/v1/calculate/vector

Calculate a score directly from a vector string. The CVSS version is auto-detected from the prefix.

Field	Type	Description
vectorreq	string	Full CVSS vector string (e.g. `CVSS:3.1/AV:N/...`)

curl -X POST https://cvss.guru/api/v1/calculate/vector \
  -H "Content-Type: application/json" \
  -d '{"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}'

// Response — version auto-detected as 3.1
{
  "version": "3.1",
  "vector":  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "scores": {
    "base": { "score": 9.8, "severity": "Critical" },
    "temporal": null, "environmental": null
  },
  "metrics": { "AV": "N", ... }
}

POST /api/v1/convert

Convert a CVSS vector to a different version. The source version is auto-detected. Returns both original and converted scores.

Field	Values	Description
vectorreq	string	Source CVSS vector string
toreq	2.0 · 3.0 · 3.1 · 4.0	Target CVSS version

curl -X POST https://cvss.guru/api/v1/convert \
  -H "Content-Type: application/json" \
  -d '{
    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "to": "4.0"
  }'

// Response
{
  "from": {
    "version": "3.1",
    "vector":  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "scores":  { "base": { "score": 9.8, "severity": "Critical" }, ... }
  },
  "to": {
    "version": "4.0",
    "vector":  "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
    "scores":  { "base": { "score": 9.3, "severity": "Critical" }, ... },
    "metrics": { ... }
  }
}

GET /api/v1/cve/{cve_id}

Fetch CVE details and all available CVSS scores from the NVD (National Vulnerability Database). Results are cached for 24 hours.

Param	Type	Description
cve_idpath	string	CVE identifier, e.g. `CVE-2021-44228`

curl https://cvss.guru/api/v1/cve/CVE-2021-44228

// Response
{
  "success":     true,
  "cached":      false,
  "id":          "CVE-2021-44228",
  "published":   "2021-12-10",
  "modified":    "2023-04-03",
  "description": "Apache Log4j2 2.0-beta9 through 2.15.0...",
  "weaknesses":  ["CWE-502"],
  "scores": {
    "v2":  { "version": "2.0",  "score": 9.3, "severity": "HIGH",     "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C" },
    "v30": null,
    "v31": { "version": "3.1", "score": 10.0, "severity": "CRITICAL", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" },
    "v40": null
  },
  "references": ["https://logging.apache.org/log4j/2.x/security.html", ...]
}