Miscalculation of CVSS 3.1 score vs. NVD/FIRST CVSS calculator

The calculation of CVSS 3.1 score does not produce the same result as the NVD/FIRST CVSS calculator

For example, querying the CVSS score of GHSA-vfww-5hm6-hx2j / CVE-2025-55754 -
```
curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/advisories/GHSA-vfww-5hm6-hx2j
```

Produces the vector and a score of 9.7 -
```
...
"cvss": {
    "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
    "score": 9.7
  },
...
```

However, the same CVSS vector in both NVD and FIRST CVSS 3.1 calculators, produces a score of 9.6 -
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H&version=3.1

<img width="1059" height="307" alt="Image" src="https://github.com/user-attachments/assets/5244958c-f598-4c54-98bd-f8b123e67105" />


The expected outcome is that the calculation of the above vector will be equal to the NVD/FIRST calculation (9.6)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Miscalculation of CVSS 3.1 score vs. NVD/FIRST CVSS calculator #7119

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Miscalculation of CVSS 3.1 score vs. NVD/FIRST CVSS calculator #7119

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions