Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 4951 | CVE-2024-13953 |
|
19.9th | 4.9 | This vulnerability exposes sensitive device logger information in ABB ASPECT systems when administra | |
| 4952 | CVE-2025-2506 |
|
19.8th | 5.3 | This vulnerability allows users with only CONNECT permissions to a database configured for replicati | |
| 4953 | CVE-2025-39493 |
|
19.7th | 4.3 | This CVE describes a missing authorization vulnerability in ValvePress Rankie WordPress plugin that | |
| 4954 | CVE-2025-4743 |
|
19.9th | 6.3 | A critical SQL injection vulnerability exists in code-projects Employee Record System 1.0, specifica | |
| 4955 | CVE-2025-4459 |
|
19.9th | 6.3 | CVE-2025-4459 is a critical SQL injection vulnerability in Patient Record Management System 1.0 that | |
| 4956 | CVE-2025-3862 |
|
19.7th | 6.4 | The Contest Gallery WordPress plugin has a stored cross-site scripting (XSS) vulnerability in all ve | |
| 4957 | CVE-2025-4247 |
|
19.9th | 6.3 | This critical SQL injection vulnerability in SourceCodester Simple To-Do List System 1.0 allows atta | |
| 4958 | CVE-2025-4244 |
|
19.9th | 6.3 | This critical SQL injection vulnerability in code-projects Online Bus Reservation System 1.0 allows | |
| 4959 | CVE-2025-3707 |
|
19.7th | 6.5 | The eHDR CTMS from Sunnet contains a SQL injection vulnerability that allows authenticated users wit | |
| 4960 | CVE-2025-4156 |
|
19.9th | 6.3 | This critical SQL injection vulnerability in PHPGurukul Boat Booking System 1.0 allows remote attack | |
| 4961 | CVE-2025-6667 |
|
19.9th | 6.3 | This critical vulnerability in code-projects Car Rental System 1.0 allows remote attackers to upload | |
| 4962 | CVE-2025-6264 |
|
19.7th | 5.5 | This vulnerability in Velociraptor allows users with COLLECT_CLIENT permissions (typically Investiga | |
| 4963 | CVE-2025-54134 |
|
19.9th | 6.5 | HAX CMS NodeJS versions 11.0.8 and below crash when authenticated attackers send API requests missin | |
| 4964 | CVE-2025-50094 |
|
19.7th | 4.9 | This vulnerability in Oracle MySQL Server allows high-privileged attackers with network access to ca | |
| 4965 | CVE-2025-48802 |
|
19.7th | 6.5 | This vulnerability allows an authorized attacker to spoof their identity on Windows SMB networks by | |
| 4966 | CVE-2025-7151 |
|
19.9th | 6.3 | This critical vulnerability in Campcodes Advanced Online Voting System 1.0 allows remote attackers t | |
| 4967 | CVE-2025-53489 |
|
19.7th | 5.6 | This CVE describes a cross-site scripting (XSS) vulnerability in the Mediawiki GoogleDocs4MW extensi | |
| 4968 | CVE-2025-53490 |
|
19.7th | 5.6 | This CVE describes a cross-site scripting (XSS) vulnerability in the MediaWiki CampaignEvents extens | |
| 4969 | CVE-2025-9362 |
|
19.7th | 6.3 | A stack-based buffer overflow vulnerability in Linksys RE series range extenders allows remote attac | |
| 4970 | CVE-2025-9296 |
|
19.9th | 4.7 | Emlog Pro up to version 2.5.18 contains an unrestricted file upload vulnerability in the avatar upda | |
| 4971 | CVE-2025-53196 |
|
19.7th | 6.5 | This vulnerability in Crocoblock JetEngine WordPress plugin allows attackers to retrieve embedded se | |
| 4972 | CVE-2025-34233 |
|
19.7th | 6.8 | This vulnerability allows admin-level attackers in Vasion Print (formerly PrinterLogic) to exploit i | |
| 4973 | CVE-2025-9903 |
|
19.9th | 5.9 | This CVE describes an out-of-bounds write vulnerability in multiple Canon printer drivers that could | |
| 4974 | CVE-2025-11119 |
|
19.9th | 4.3 | A cross-site scripting (XSS) vulnerability exists in itsourcecode Hostel Management System 1.0, spec | |
| 4975 | CVE-2025-60163 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the bbp topic count WordPress plugin allo | |
| 4976 | CVE-2025-60162 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Job Board Manager WordPress plugin al | |
| 4977 | CVE-2025-60147 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the HT Feed WordPress plugin allows attacker | |
| 4978 | CVE-2025-60142 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Simple Meta Tags WordPress plugin all | |
| 4979 | CVE-2025-60138 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the SKT Blocks WordPress plugin allows attac | |
| 4980 | CVE-2025-60124 |
|
19.8th | 6.5 | This stored XSS vulnerability in the Simple Colorbox WordPress plugin allows attackers to inject mal | |
| 4981 | CVE-2025-60105 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Ditty WordPress plugin allows attackers | |
| 4982 | CVE-2025-60102 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WPFront User Role Editor WordPress plugi | |
| 4983 | CVE-2025-60099 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Embed Any Document plugin allo | |
| 4984 | CVE-2025-60040 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the wp-mpdf WordPress plugin allows attacker | |
| 4985 | CVE-2025-58917 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Quantities and Units for WooCommerce Wor | |
| 4986 | CVE-2025-27006 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Authorsy WordPress plugin allows attacke | |
| 4987 | CVE-2025-10993 |
|
19.7th | 4.7 | This vulnerability allows remote attackers to execute arbitrary code through template management fun | |
| 4988 | CVE-2025-10988 |
|
19.9th | 6.3 | This vulnerability allows unauthorized access to the business transfer functionality in YunaiV ruoyi | |
| 4989 | CVE-2025-10987 |
|
19.9th | 6.3 | This vulnerability allows remote attackers to bypass authorization controls in YunaiV yudao-cloud by | |
| 4990 | CVE-2025-58915 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the YouTube Showcase WordPress plugin allows | |
| 4991 | CVE-2025-57205 |
|
20th | 5.4 | A stored cross-site scripting (XSS) vulnerability in iNiLabs School Express 6.2 allows authenticated | |
| 4992 | CVE-2025-57204 |
|
20th | 5.4 | Stocky POS with Inventory Management & HRM (ui-lib) version 5.0 has a stored XSS vulnerability in th | |
| 4993 | CVE-2025-59592 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Make Column Clickable Elementor WordPres | |
| 4994 | CVE-2025-59587 |
|
19.8th | 6.5 | This DOM-based cross-site scripting vulnerability in the Penci Shortcodes & Performance WordPress pl | |
| 4995 | CVE-2025-59586 |
|
19.8th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the Penci Portfolio WordPress plugin allo | |
| 4996 | CVE-2025-59585 |
|
19.8th | 6.5 | This DOM-based cross-site scripting vulnerability in the Penci Recipe WordPress plugin allows attack | |
| 4997 | CVE-2025-59584 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Penci Podcast WordPress plugin allows | |
| 4998 | CVE-2025-59583 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Penci Filter Everything WordPress plu | |
| 4999 | CVE-2025-59574 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in WP Travel Engine WordPress plugin allows att | |
| 5000 | CVE-2025-59569 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in CubeWP WordPress plugin allows attackers to |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free