The invention discloses a method for calculating vulnerability risks, which comprises the following steps of S1, standardizing vulnerability levels; S2, standardizing the evaluation dimension by combining the hazard level of the vulnerability with a 5W2H method; S3, standardizing the datum line; S4, performing matching analysis on the standardization in S1, S2 and S3 and risk values between systems of the enterprise to obtain a conclusion. According to the method, risk quantification is carried out on each vulnerability in combination with the vulnerability hazard level and the 5W2H method, sothat a more accurate and objective evaluation result is obtained, the risk level of the vulnerability existing in the current system is known more visually, a more feasible rectification scheme is formulated, and a more effective rectification effect is achieved. And each quantification result is recorded in a case, statistics is carried out on various risk occurrence frequencies of each system regularly, weakness of each system during development is understood, development specifications and requirements are perfected in a more targeted manner, and development quality is improved.