analitics

Pages

Sunday, July 5, 2026

Python 3.10.11 : CVSS (Common Vulnerability Scoring System) with cvss python package.

This Python package contains CVSS v2, v3 and v4 computation utilities and interactive calculator (for v2 and v3 only) compatible with Python 3. CVSS (Common Vulnerability Scoring System) is an standardized method for rating the severity of security issues on a scale from 0 (no impact) to 10 (critical).
Let's install the cvss python package.
python -m pip install cvss
Collecting cvss
  Downloading cvss-3.6-py2.py3-none-any.whl.metadata (3.8 kB)
Downloading cvss-3.6-py2.py3-none-any.whl (31 kB)
Installing collected packages: cvss
  WARNING: The script cvss_calculator.exe is installed in 'C:\python-3_10_11\Scripts' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed cvss-3.6
How this works:
NVD Database (online)
        |
        |  JSON feed
        v
Python script ----> parses CVE + CVSS vector
        |
        |  uses cvss library
        v
Scores vulnerabilities (Base, Temporal, Environmental)
        |
        |  inserts results
        v
Your local database (SQL)
        |
        v
Dashboard / API / Alerts 
Simple code source example :
#!/usr/bin/env python3

# Demonstrates how to score a CVSS vector using the open-source "cvss" library.
# Validation and error handling included.

from cvss import CVSS3  # CVSS2, CVSS3, CVSS4 are available
import sys

def score_cvss_vector(vector: str):
    """
    Validates and scores a CVSS3 vector string.
    Returns scores and severities.
    """
    if not isinstance(vector, str) or not vector.strip():
        raise ValueError("Vector must be a non-empty string.")

    try:
        c = CVSS3(vector)
    except Exception as e:
        raise ValueError(f"Invalid CVSS3 vector: {e}")

    return c.clean_vector(), c.scores(), c.severities()

def main():
    if len(sys.argv) != 2:
        print("Usage: python cvss_score.py '<CVSS3_VECTOR>'")
        print("Example:")
        print("python main.py 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'")
        sys.exit(1)

    vector = sys.argv[1]

    try:
        clean_v, scores, severity = score_cvss_vector(vector)
        print("Input vector:", vector)
        print("Normalized vector:", clean_v)
        print("Scores:", scores)
        print("Severity:", severity)
    except ValueError as e:
        print("Error:", e)
        sys.exit(1)

if __name__ == "__main__":
    main()
The result is this:
python main.py CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Input vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Normalized vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Scores: (9.8, 9.8, 9.8)
Severity: ('Critical', 'Critical', 'Critical')
Another source code with examples:
#!/usr/bin/env python3
# Requires: pip install cvss

from cvss import CVSS3

# Example vulnerabilities (safe, educational)
vulns = [
    {
        "language": "Python",
        "title": "Unsafe eval usage",
        "description": "Code that executes user-provided input using eval().",
        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
    },
    {
        "language": "C#",
        "title": "Insecure deserialization",
        "description": "BinaryFormatter deserialization of untrusted data.",
        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    {
        "language": "Godot Engine",
        "title": "Unvalidated file path access",
        "description": "Loading files from paths provided by the user without validation.",
        "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
    }
]

def analyze_vulnerabilities(vuln_list):
    for v in vuln_list:
        print("\n====================================")
        print("Language:", v["language"])
        print("Issue:", v["title"])
        print("Description:", v["description"])
        print("CVSS Vector:", v["cvss_vector"])

        try:
            cv = CVSS3(v["cvss_vector"])
            base, temp, env = cv.scores()
            sev_base, sev_temp, sev_env = cv.severities()

            print("Base Score:", base, "-", sev_base)
            print("Temporal Score:", temp, "-", sev_temp)
            print("Environmental Score:", env, "-", sev_env)

        except Exception as e:
            print("Invalid CVSS vector:", e)

if __name__ == "__main__":
    analyze_vulnerabilities(vulns)
This is the result:
python main_002.py

====================================
Language: Python
Issue: Unsafe eval usage
Description: Code that executes user-provided input using eval().
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Base Score: 8.1 - High
Temporal Score: 8.1 - High
Environmental Score: 8.1 - High

====================================
Language: C#
Issue: Insecure deserialization
Description: BinaryFormatter deserialization of untrusted data.
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 9.8 - Critical
Temporal Score: 9.8 - Critical
Environmental Score: 9.8 - Critical

====================================
Language: Godot Engine
Issue: Unvalidated file path access
Description: Loading files from paths provided by the user without validation.
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score: 4.4 - Medium
Temporal Score: 4.4 - Medium
Environmental Score: 4.4 - Medium