Paste any CVE. Get the latest EPSS probability and percentile, plus a CISA KEV cross-check — updated daily from FIRST.org. No account, no sign-in.
Description
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.
ReferenceWhat is an EPSS score?
EPSS, the Exploit Prediction Scoring System, is a daily-updated probability that a CVE will be exploited in the wild within the next 30 days. Maintained by FIRST.org, it is the de-facto companion to CVSS for prioritizing vulnerability remediation in 2026.
Two numbers come back per CVE:
- Probability — a value between 0 and 1. EPSS 0.95 means a 95% modeled chance the vulnerability will see exploit activity in the next 30 days.
- Percentile — where this CVE ranks against every other CVE in the EPSS dataset. A percentile of 0.99 means the CVE is more likely to be exploited than 99% of all known CVEs.
CVSS tells you how bad a vulnerability could be in theory. EPSS tells you how likely it is to bite you in the next month.
ComparisonEPSS vs CVSS — which should I use?
Both. CVSS measures impact assuming an exploit exists. EPSS measures how likely an exploit is to be deployed.
| Scenario | CVSS | EPSS | Verdict |
|---|
| Dangerous on paper, unlikely in practice | 9.8 | 0.001 | Patch on schedule |
| Less severe but actively exploited | 6.5 | 0.95 | Patch tonight |
| Meaningful threat, contextual urgency | 7.5 | 0.20 | Use environment data |
If you are still patching by CVSS alone in 2026, you are patching the wrong things first.
API
Want this in your SOAR or SIEM?
SARA Open ships an OpenAI-compatible API. Call POST /api/v1/analyze — SARA returns EPSS, CVSS, KEV status, and an analyst-grade written summary in one call.
curl -X POST https://sara-open.sirp.io/api/v1/analyze \
-H "Authorization: Bearer $SARA_API_KEY" \
-H "Content-Type: application/json" \
-d '{"type": "cve", "value": "CVE-2021-44228"}'
Read the API reference →
FAQFrequently asked questions
What is a good EPSS score?
Anything at or above 0.5 means a vulnerability is more likely than not to be exploited in the next 30 days. Most enterprises treat 0.7 and above as a patch-immediately signal. Below 0.1, EPSS treats the vulnerability as low-likelihood — that is not the same as low-severity.
How often is EPSS updated?
Daily, by FIRST.org. This tool always pulls the most recent value with no caching.
Is EPSS free?
Yes. The EPSS dataset and API are free under FIRST.org's terms.
Can I bulk-lookup CVEs with EPSS?
This page handles single CVEs. Bulk lookups are available via the SARA API; Pro and Team plans support up to 200 and 500 requests per hour respectively.
Does EPSS replace CVSS?
No. EPSS measures likelihood. CVSS measures impact. Use both, plus the CISA KEV catalog as a binary signal of confirmed in-the-wild exploitation.
Is EPSS the same as the CISA KEV catalog?
No. EPSS is a probability model. KEV is a binary, evidence-based list of CVEs CISA has confirmed are being exploited. Use both — EPSS for forecasting, KEV for confirmed exploitation.