Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 5001 | CVE-2025-44033 |
|
45.5th | 9.8 | This SQL injection vulnerability in oa_system oasys v1.1 allows remote attackers to execute arbitrar | |
| 5002 | CVE-2025-9491 |
|
45.5th | 7.8 | This vulnerability allows attackers to execute arbitrary code on Microsoft Windows systems by tricki | |
| 5003 | CVE-2025-59046 |
|
45.5th | 9.8 | CVE-2025-59046 is a command injection vulnerability in the interactive-git-checkout npm package that | |
| 5004 | CVE-2025-23948 |
|
45.4th | 8.1 | This vulnerability allows attackers to include local files on the server through improper filename c | |
| 5005 | CVE-2024-42911 |
|
45.4th | 7.4 | This vulnerability allows remote attackers to execute arbitrary code on ECOVACS Deebot T20 OMNI and | |
| 5006 | CVE-2025-25285 |
|
45.4th | 5.3 | This vulnerability in @octokit/endpoint allows attackers to cause a regular expression denial-of-ser | |
| 5007 | CVE-2024-35279 |
|
45.5th | 8.1 | A stack-based buffer overflow vulnerability in Fortinet FortiOS allows remote unauthenticated attack | |
| 5008 | CVE-2025-31618 |
|
45.4th | 5.3 | This vulnerability allows attackers to bypass authorization controls in the Jaap Jansma Connector to | |
| 5009 | CVE-2025-31386 |
|
45.4th | 5.3 | This CVE describes a Missing Authorization vulnerability in Simple:Press WordPress plugin that allow | |
| 5010 | CVE-2025-30855 |
|
45.4th | 7.5 | This vulnerability allows attackers to bypass authorization controls in the Ads by WPQuads WordPress | |
| 5011 | CVE-2025-30887 |
|
45.4th | 5.3 | This CVE describes a Missing Authorization vulnerability in the WpEvently WordPress plugin that allo | |
| 5012 | CVE-2025-30839 |
|
45.4th | 5.3 | This CVE describes a missing authorization vulnerability in the Taxi Booking Manager for WooCommerce | |
| 5013 | CVE-2024-13321 |
|
45.3th | 7.5 | The AnalyticsWP WordPress plugin contains an SQL injection vulnerability that allows unauthenticated | |
| 5014 | CVE-2025-3790 |
|
45.4th | 5.3 | This critical vulnerability in baseweb JSite 1.0's Apache Druid Monitoring Console allows unauthoriz | |
| 5015 | CVE-2025-39457 |
|
45.4th | 5.3 | This CVE describes a missing authorization vulnerability in the Booking and Rental Manager WordPress | |
| 5016 | CVE-2025-31042 |
|
45.4th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Sandwich Adsense WordPress plugin th | |
| 5017 | CVE-2024-46671 |
|
45.4th | 6.2 | This vulnerability allows authenticated attackers with read-only admin permissions in FortiWeb to ma | |
| 5018 | CVE-2025-32258 |
|
45.4th | 5.3 | This CVE describes a missing authorization vulnerability in the Simple Website Logo WordPress plugin | |
| 5019 | CVE-2025-32254 |
|
45.4th | 5.3 | This CVE describes a missing authorization vulnerability in the WPBookit WordPress plugin that allow | |
| 5020 | CVE-2025-32252 |
|
45.4th | 5.3 | This CVE describes a missing authorization vulnerability in the WP Genealogy WordPress plugin that a | |
| 5021 | CVE-2025-32225 |
|
45.4th | 5.3 | This CVE describes a missing authorization vulnerability in the WP Event Manager WordPress plugin th | |
| 5022 | CVE-2025-24317 |
|
45.3th | 5.3 | This vulnerability allows remote unauthenticated attackers to cause denial-of-service conditions in | |
| 5023 | CVE-2025-31848 |
|
45.4th | 5.3 | This CVE describes a missing authorization vulnerability in the WordPress Adverts Plugin that allows | |
| 5024 | CVE-2025-31810 |
|
45.4th | 5.3 | This CVE describes a missing authorization vulnerability in the WordPress Question Answer plugin tha | |
| 5025 | CVE-2025-31774 |
|
45.4th | 5.3 | This CVE describes a Missing Authorization vulnerability in WebProtect.ai Astra Security Suite WordP | |
| 5026 | CVE-2025-31765 |
|
45.4th | 5.3 | This CVE describes a Missing Authorization vulnerability in the GDPR Cookie Notice WordPress plugin | |
| 5027 | CVE-2025-4749 |
|
45.4th | 7.5 | A critical vulnerability in D-Link DI-7003GV2 routers allows remote attackers to trigger a denial of | |
| 5028 | CVE-2025-53778 |
|
45.3th | 8.8 | CVE-2025-53778 is an improper authentication vulnerability in Windows NTLM that allows an authentica | |
| 5029 | CVE-2020-37214 |
|
45.4th | 7.5 | CVE-2020-37214 is a directory traversal vulnerability in Voyager 1.3.0 that allows attackers to read | |
| 5030 | CVE-2025-63624 |
|
45.4th | 9.8 | This SQL injection vulnerability in Shandong Kede Electronics' IoT smart water meter monitoring plat | |
| 5031 | CVE-2024-54542 |
|
45.2th | 9.1 | This CVE describes an authentication bypass vulnerability in Apple's Private Browsing feature across | |
| 5032 | CVE-2025-21565 |
|
45.3th | 7.5 | An unauthenticated remote attacker can exploit this vulnerability in Oracle Agile PLM Framework to a | |
| 5033 | CVE-2023-51296 |
|
45.3th | 6.1 | PHPJabbers Event Booking Calendar v4.0 contains a cross-site scripting vulnerability in multiple par | |
| 5034 | CVE-2025-32093 |
|
45.3th | 4.7 | This vulnerability allows delegated granular administration users with 'Edit Other Users' permission | |
| 5035 | CVE-2025-32808 |
|
45.3th | 7.7 | CVE-2025-32808 is a client-side access control vulnerability in W. W. Norton InQuizitive that allows | |
| 5036 | CVE-2024-10894 |
|
45.2th | 6.4 | The Payment Forms for Paystack WordPress plugin has a stored cross-site scripting vulnerability in s | |
| 5037 | CVE-2025-31138 |
|
45.3th | 5.5 | This vulnerability in tarteaucitron.js allows attackers with direct access to website source code or | |
| 5038 | CVE-2025-43736 |
|
45.3th | 4.3 | This CVE describes a Denial of Service vulnerability in Liferay Portal and DXP where authenticated u | |
| 5039 | CVE-2025-53809 |
|
45.3th | 6.5 | This vulnerability allows an authorized attacker to cause a denial of service in Windows LSASS throu | |
| 5040 | CVE-2025-14878 |
|
45.3th | 9.8 | This vulnerability allows remote attackers to execute arbitrary code on Tenda WH450 routers by explo | |
| 5041 | CVE-2026-1324 |
|
45.3th | 8.8 | This CVE describes a remote command injection vulnerability in Sangfor Operation and Maintenance Man | |
| 5042 | CVE-2026-1111 |
|
45.3th | 4.7 | This CVE describes a path traversal vulnerability in Sanluan PublicCMS that allows attackers to writ | |
| 5043 | CVE-2024-54557 |
|
45.2th | 7.5 | This CVE describes a logic flaw in macOS that allows attackers to bypass file system protections and | |
| 5044 | CVE-2025-0734 |
|
45.2th | 4.7 | This vulnerability in RuoYi up to version 4.8.0 allows remote attackers to execute arbitrary code th | |
| 5045 | CVE-2024-43096 |
|
45.2th | 8.8 | This vulnerability allows remote attackers to execute arbitrary code on Android devices via Bluetoot | |
| 5046 | CVE-2025-21499 |
|
45.2th | 4.9 | This vulnerability in MySQL Server's DDL component allows high-privileged attackers with network acc | |
| 5047 | CVE-2024-51111 |
|
45.2th | 4.1 | This Cross-Site Scripting (XSS) vulnerability in Pnetlab 5.3.11 allows attackers to inject malicious | |
| 5048 | CVE-2024-5705 |
|
45.2th | 8.8 | This vulnerability allows attackers to bypass authorization checks in Hitachi Vantara Pentaho Busine | |
| 5049 | CVE-2025-3062 |
|
45.2th | 6.6 | This vulnerability in the Drupal Admin LTE theme allows improper authentication due to CWE-287 (Impr | |
| 5050 | CVE-2021-24008 |
|
45.2th | 5.3 | This vulnerability allows remote unauthenticated attackers to obtain sensitive software version info |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free