Top 10 CVEs by year
Data-derived annual top-10 lists across six dimensions: most severe by CVSS, actively exploited (CISA KEV), highest EPSS, most PoC-covered, plus top vendors and top CWE classes for each year.
What each list captures
Each annual archive renders six independent top-10 lists. Every list is derived from the ingested CVE corpus — no editorial scoring, no hand-picking.
- Most severe — ordered by CVSS v3 base score, descending. Ties broken by KEV status, then EPSS score, then publish date.
- Most exploited — CVEs added to the CISA Known Exploited Vulnerabilities catalog within the year, newest entry first. Empty for pre-2021 years (the KEV catalog reached general availability in late 2021).
- Highest EPSS — CVEs published in the year with the highest FIRST.org Exploit Prediction Scoring System scores.
- Most PoC-covered — CVEs published in the year ranked by the count of indexed public proof-of-concept repositories.
- Top vendors — vendors ranked by distinct CVE count for the year.
- Top CWE classes — CWE ids ranked by the count of CVEs published in the year that carry them.
Coverage floor: 2021. Older years are intentionally omitted — the KEV and EPSS signals were not yet at general availability before that, and the resulting lists would carry too many empty columns to be meaningful.