CVEs in the Wild

CISA KEV catalog with initial vs current EPSS, CVSS, and exploit confirmation

Author

Sam Caldwell

Sources. CVEs and “in-wild” status from CISA KEV Catalog (US government work, public domain). EPSS (Exploit Prediction Scoring System) from FIRST EPSS (CC-BY-SA). CVSS scores from the NVD (US government work, public domain).

EPSS estimates the probability a CVE will be exploited in the next 30 days. CVSS is a static severity score for the vulnerability itself. KEV confirms an exploit has been observed in the wild — every row on this page is “in wild = TRUE.”

KEV CVEs total
1,577
As of 2026-04-20
New in last 30 days
26
Newly added by CISA
Top CVE by current EPSS
CVE-2023-23752
EPSS = 0.945
Median current EPSS (KEV)
0.711
Across all KEV-listed CVEs
Median CVSS v3 (KEV)
8.8
Severity of the vuln itself

All KEV CVEs — sortable, searchable

EPSS values range 0.0 – 1.0 (probability of exploitation in next 30 days). CVSS v3 ranges 0.0 – 10.0 (severity). The EPSS Δ column shows how a CVE’s predicted exploit probability has moved since we first observed it in our cache.

How EPSS and CVSS differ

  • CVSS v3 scores severity on a 0–10 scale based on the vulnerability’s intrinsic characteristics: attack vector, complexity, required privileges, user interaction, scope, and impact on confidentiality/integrity/ availability. CVSS does not change much over time.
  • EPSS estimates the probability a vulnerability will be exploited in the next 30 days, based on observed exploit behavior, public discussion, and threat-actor activity. EPSS updates daily and can move a lot — a CVE might have low CVSS but high EPSS (easy to exploit, attractive target), or vice versa.
  • KEV inclusion is the strongest signal: it confirms exploitation has already been observed by US federal agencies. Every CVE on this page is in KEV.

EPSS Δ tracks how predicted-exploit probability has moved since this site first observed the CVE. A large positive Δ means EPSS thinks the likelihood went up; large negative means it went down.

Source notes

  • CISA KEV updates irregularly (typically several times per month). Refresh: daily.
  • EPSS publishes a daily snapshot of all ~250k tracked CVEs. We retain the first score we see per CVE as initial_epss (immutable) and update current_epss each day.
  • NVD CVSS is fetched on-demand for KEV CVEs we haven’t yet scored, rate-limited to ≤2 req/sec without an API key.