A vulnerability evaluation apparatus includes an input unit configured to input a source code of a program to be evaluated, information indicating assets which are desired to be preserved and an attack accomplishment condition where the assets are not preserved, information indicating an attack determination position at which whether the condition where the assets are not preserved is satisfied can be determined, and input information for the program, an input position designating unit configured to designate an input position indicating a position at which the input information for the program is input, an attack determination position designating unit configured to designate the attack determination position, and an attack path analyzing unit configured to analyze a path from the attack determination position to the input position and specify an attack path where the attack accomplishment condition is satisfied.