How We Assess CVE Risk

wtfisthiscve goes beyond basic CVSS scores to help you understand the real-world risk of each vulnerability. We check multiple sources to answer two critical questions:

Can attackers exploit this? (Weaponization status)
Can defenders detect this? (Detection coverage)

Detection Sources

We check whether a CVE can be detected by major open-source security tools:

OSV.dev (Open Source Vulnerabilities)

What it is: Google's aggregated vulnerability database for open-source packages
Coverage: npm, PyPI, Maven, Go, Rust, and other package ecosystems
Why it matters: If a CVE is in OSV, tools like Trivy, Grype, and OSV-Scanner can find it in your dependencies
Link: osv.dev

Nuclei Templates

What it is: Community-driven vulnerability scanner with 8,000+ detection templates
Coverage: Web application vulnerabilities, misconfigurations, exposed panels
Why it matters: Nuclei is widely used for security assessments and bug bounty hunting
Link: github.com/projectdiscovery/nuclei-templates

Sigma Rules

What it is: Generic signature format for SIEM systems
Coverage: Log-based detection for Windows, Linux, cloud, and application events
Why it matters: Sigma rules can be converted to Splunk, Elastic, Microsoft Sentinel, and other SIEM platforms
Link: github.com/SigmaHQ/sigma

Snort/Suricata Rules

What it is: Network intrusion detection system (IDS) rules
Coverage: Network traffic analysis, exploit detection, malicious payloads
Why it matters: Deployed at network perimeters to detect attacks in transit
Sources: Emerging Threats Open, c3rb3ru5d3d53c/signatures

YARA Rules

What it is: Pattern matching rules for identifying malware and files
Coverage: File-based detection, memory scanning, malware classification
Why it matters: Used by antivirus tools, EDR solutions, and incident responders
Link: github.com/Yara-Rules/rules

Semgrep Rules

What it is: Static analysis tool for finding bugs and security issues in code
Coverage: Source code patterns, vulnerable dependencies, insecure configurations
Why it matters: Catches vulnerabilities during development before deployment
Link: semgrep.dev/explore

Exploit Sources

We track whether working exploit code exists in the wild:

Metasploit Framework

What it is: The most widely-used penetration testing framework
Why it matters: A Metasploit module means point-and-click exploitation is possible
Link: github.com/rapid7/metasploit-framework

ExploitDB

What it is: Archive of public exploits and vulnerable software
Why it matters: Curated database with working proof-of-concept code
Link: exploit-db.com

GitHub PoCs

What it is: Proof-of-concept exploits published on GitHub
Why it matters: Researchers often publish PoCs within days of disclosure
Source: We use the Trickest CVE database and GitHub search

CISA KEV (Known Exploited Vulnerabilities)

What it is: US government catalog of vulnerabilities actively exploited in the wild
Why it matters: If it's in KEV, attackers are using it right now
Link: cisa.gov/known-exploited-vulnerabilities-catalog

Risk Levels Explained

Based on detection and weaponization status, we assign a risk level:

Risk Level	Meaning	Action
CRITICAL GAP	Exploits exist but NO detection available	Highest priority - you're blind to active attacks
HIGH	Exploits exist AND detection available	Urgent - ensure your detection tools are deployed
MEDIUM	Detection available but no known exploits	Important - detection gives you early warning
LOW	No known exploits or detection	Monitor - theoretical risk only

What is a "Critical Gap"?

A Critical Gap is the most dangerous category: attackers have working exploit code, but defenders have no way to detect attacks using standard open-source tools.

These CVEs represent a pre-outbreak window - the opportunity to build detection BEFORE mass exploitation begins. We highlight these specifically because:

Security teams need to know their blind spots
Tool maintainers can prioritize writing detection rules
Organizations can implement compensating controls

Note: Critical Gap status only applies to HIGH and CRITICAL severity CVEs (CVSS 7.0+). Lower severity vulnerabilities with exploits but no detection are classified as HIGH risk.

EPSS Scores

In addition to detection/exploit status, we show EPSS (Exploit Prediction Scoring System) scores where available.

What it is: Machine learning model predicting exploitation probability in the next 30 days
Range: 0% to 100%
Source: FIRST.org EPSS

EPSS complements CVSS by answering "how likely?" rather than "how bad?". A CVSS 7.0 with 90% EPSS is more urgent than a CVSS 9.0 with 0.1% EPSS.

Data Freshness

CVE metadata: Synced from NVD every 5 minutes
Exploit intelligence: Cached based on risk level:
Critical Gap CVEs: Rechecked every 24 hours (detection rules may be added)
All other CVEs: Cached permanently (detection/exploits don't get removed)
EPSS scores: Fetched from FIRST.org API in real-time

Limitations

Our detection coverage checks are not exhaustive:

We check major open-source tools, not commercial products
A "no detection" result doesn't mean detection is impossible - just that we couldn't find it in our sources
Exploit availability doesn't mean your specific environment is vulnerable
Always verify findings with your security team

Questions or Feedback?

If you know of detection rules or exploits we're missing, please open an issue on GitHub.