Top 10 CVEs by year

Data-derived annual top-10 lists across six dimensions: most severe by CVSS, actively exploited (CISA KEV), highest EPSS, most PoC-covered, plus top vendors and top CWE classes for each year.

What each list captures

Each annual archive renders six independent top-10 lists. Every list is derived from the ingested CVE corpus — no editorial scoring, no hand-picking.

  • Most severe — ordered by CVSS v3 base score, descending. Ties broken by KEV status, then EPSS score, then publish date.
  • Most exploited — CVEs added to the CISA Known Exploited Vulnerabilities catalog within the year, newest entry first. Empty for pre-2021 years (the KEV catalog reached general availability in late 2021).
  • Highest EPSS — CVEs published in the year with the highest FIRST.org Exploit Prediction Scoring System scores.
  • Most PoC-covered — CVEs published in the year ranked by the count of indexed public proof-of-concept repositories.
  • Top vendors — vendors ranked by distinct CVE count for the year.
  • Top CWE classes — CWE ids ranked by the count of CVEs published in the year that carry them.

Coverage floor: 2021. Older years are intentionally omitted — the KEV and EPSS signals were not yet at general availability before that, and the resulting lists would carry too many empty columns to be meaningful.

Per-year archives