CVSS vs EPSS
Last reviewed June 2, 2026
CVSS and EPSS answer different questions. CVSS measures how severe a vulnerability is if exploited, producing a 0 to 10 severity score. EPSS estimates how likely a vulnerability is to be exploited in the wild within 30 days, producing a probability and a percentile. CVSS describes impact; EPSS describes probability. Effective prioritization uses both together.
The core difference
CVSS, the Common Vulnerability Scoring System, rates the intrinsic severity of a vulnerability: how bad the outcome would be if an attacker exploited it. EPSS, the Exploit Prediction Scoring System, rates something else entirely: how likely it is that exploitation will actually occur in the near term.
A vulnerability can be a CVSS 9.8 critical yet have a very low EPSS probability, because no exploit is circulating. Conversely, a moderate-severity flaw can carry a high EPSS score if attackers are already weaponizing it. Reading only one number gives you half the picture.
CVSS vs EPSS at a glance
| Dimension | CVSS | EPSS |
|---|---|---|
| Question answered | How severe is it if exploited? | How likely is it to be exploited soon? |
| Output | Score from 0.0 to 10.0 | Probability 0 to 1 plus a percentile |
| Maintained by | FIRST.org (SIG) | FIRST.org (EPSS SIG) |
| Updated | When the CVE is scored or reassessed | Daily |
| Based on | Intrinsic technical characteristics | Machine learning on real-world exploit data |
| Measures | Impact and exploitability mechanics | Real-world likelihood of exploitation |
| Best used for | Understanding worst-case impact | Ranking what to patch first |
When to use each
- Use CVSS to understand the potential blast radius: confidentiality, integrity, and availability impact, attack vector, and complexity.
- Use EPSS to rank a large backlog by real-world threat, surfacing the vulnerabilities attackers are most likely to hit.
- Use them together: a high CVSS combined with a high EPSS is a strong signal to act fast, while a high CVSS with a near-zero EPSS may be lower urgency.
Why CVSS alone leaves gaps
Most organizations have far more critical and high CVSS findings than they can patch at once. If you sort only by CVSS, you spend effort on severe-but-unexploited flaws while genuinely attacked vulnerabilities wait in the queue.
EPSS reweights that backlog toward what is actually being exploited. Studies from the EPSS effort show that prioritizing by EPSS catches far more real exploitation for the same remediation effort than prioritizing by CVSS severity alone. The two scores are complementary, not competing.
Keep exploring
- What is EPSS?The exploit prediction model in detail.
- What is CVSS?How vulnerability severity is scored from 0 to 10.
- CVSS calculatorBuild and interpret a CVSS vector interactively.
- How to prioritize vulnerabilitiesCombine severity, likelihood, and confirmed exploitation.
- EPSS vs KEVPredicted likelihood versus confirmed exploitation.
Frequently asked questions
- Is EPSS better than CVSS?
- Neither is better; they measure different things. CVSS measures severity and EPSS measures likelihood of exploitation. The strongest prioritization uses both, often alongside the CISA KEV catalog.
- Can a vulnerability have a high CVSS but low EPSS?
- Yes, and it is common. A flaw can be technically critical (high CVSS) yet have no public exploit and little observed activity, giving it a low EPSS probability.
- Should I stop using CVSS if I adopt EPSS?
- No. CVSS still tells you how damaging exploitation would be, which matters for impact and compliance. Combine it with EPSS to balance severity against likelihood.
- Do CVSS and EPSS come from the same organization?
- Both are governed by FIRST.org through special interest groups, but they are separate systems with different inputs, outputs, and update cadences.
