CVE.ICU
Scoring Intelligence Hub
Compare and understand vulnerability scoring systems: CVSS, EPSS, and KEV
CVSS
Severity-
Scored CVEs
Common Vulnerability Scoring System measures the severity and impact of vulnerabilities on a 0-10 scale.
💡 "How bad is this vulnerability?"
EPSS
Probability-
Scored CVEs
Exploit Prediction Scoring System predicts the likelihood of exploitation within 30 days.
💡 "Will this vulnerability be exploited?"
KEV
Exploited-
Known Exploited
CISA's Known Exploited Vulnerabilities catalog lists CVEs confirmed to be actively exploited.
💡 "Is this vulnerability being exploited now?"
Risk Matrix: CVSS × EPSS
Combining severity (CVSS) with exploitation likelihood (EPSS)System Comparison
| Aspect | CVSS | EPSS | KEV |
|---|---|---|---|
| Purpose | Measure severity/impact | Predict exploitation probability | Confirm active exploitation |
| Scale | 0.0 - 10.0 | 0.0 - 1.0 (probability) | Yes / No (binary) |
| Source | NVD / Vendors | FIRST.org | CISA |
| Update Frequency | Per CVE publication | Daily | As exploits confirmed |
| Coverage | - | - | - |
-
EPSS & KEV
KEV CVEs with EPSS scores
-
High EPSS, Not KEV
EPSS > 0.5 but not in KEV
-
KEV with Low EPSS
In KEV but EPSS < 0.1