Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
5451	CVE-2025-23864	0.21%	42.9th	6.5	This stored cross-site scripting (XSS) vulnerability in the WCS QR Code Generator WordPress plugin a
5452	CVE-2025-23833	0.21%	42.9th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the WordPress Links/Problem Reporter plug
5453	CVE-2025-23816	0.21%	42.9th	6.5	This stored cross-site scripting (XSS) vulnerability in the Metaphor Widgets WordPress plugin allows
5454	CVE-2025-23807	0.21%	42.9th	6.5	This stored cross-site scripting (XSS) vulnerability in the Spiderpowa Embed PDF WordPress plugin al
5455	CVE-2025-23802	0.21%	42.9th	6.5	This stored cross-site scripting (XSS) vulnerability in WP-Revive Adserver allows attackers to injec
5456	CVE-2025-23796	0.21%	42.9th	6.5	This stored cross-site scripting (XSS) vulnerability in the Easy Portfolio WordPress plugin allows a
5457	CVE-2025-23794	0.21%	42.9th	6.5	This stored XSS vulnerability in the wp_amaps WordPress plugin allows attackers to inject malicious
5458	CVE-2025-23777	0.21%	42.9th	6.5	This stored cross-site scripting (XSS) vulnerability in the GDPR Personal Data Reports WordPress plu
5459	CVE-2024-57623	0.21%	43th	7.5	This vulnerability in MonetDB Server's HEAP_malloc component allows attackers to cause Denial of Ser
5460	CVE-2024-57618	0.21%	43th	7.5	A vulnerability in MonetDB Server's bind_col_exp component allows attackers to execute crafted SQL s
5461	CVE-2024-45033	0.21%	42.9th	8.1	This vulnerability allows users to maintain active sessions even after their passwords have been cha
5462	CVE-2025-22384	0.21%	42.9th	7.5	This vulnerability allows attackers to purchase discontinued products by manipulating requests befor
5463	CVE-2025-1244	0.21%	42.9th	8.8	A command injection vulnerability in Emacs allows remote attackers to execute arbitrary shell comman
5464	CVE-2025-30203	0.21%	42.9th	4.8	This CVE describes a cross-site scripting (XSS) vulnerability in Tuleap's RSS widget functionality.
5465	CVE-2025-29218	0.21%	42.9th	6.5	Tenda W18E v2.0 router firmware version 16.01.0.11 contains a stack overflow vulnerability in the wi
5466	CVE-2025-2136	0.21%	42.9th	8.8	A use-after-free vulnerability in Chrome's Inspector component allows remote attackers to potentiall
5467	CVE-2025-32550	0.21%	42.8th	7.2	This SQL injection vulnerability in the ClickandPledge Connect WordPress plugin allows attackers to
5468	CVE-2025-30013	0.21%	42.8th	6.7	SAP ERP BW Business Content contains function modules vulnerable to OS command injection, allowing a
5469	CVE-2024-58132	0.21%	42.9th	4.0	A race condition vulnerability in chainmaker-go (ChainMaker) allows concurrent read/write operations
5470	CVE-2025-58157	0.21%	42.9th	7.5	A denial of service vulnerability exists in gnark versions 0.12.0 where the fake-GLV algorithm for s
5471	CVE-2025-9026	0.21%	42.9th	7.3	This CVE describes a remote command injection vulnerability in D-Link DIR-860L routers via the Simpl
5472	CVE-2025-61581	0.21%	42.9th	7.5	This CVE describes an Inefficient Regular Expression Complexity (ReDoS) vulnerability in Apache Traf
5473	CVE-2025-13692	0.21%	42.9th	7.2	The Unlimited Elements For Elementor WordPress plugin allows unauthenticated attackers to upload mal
5474	CVE-2025-12135	0.21%	42.9th	7.2	The WPBookit WordPress plugin up to version 1.0.6 has a stored cross-site scripting vulnerability in
5475	CVE-2025-64714	0.21%	42.9th	5.8	CVE-2025-64714 is a Local File Inclusion vulnerability in PrivateBin's template-switching feature th
5476	CVE-2025-66923	0.21%	42.8th	7.2	This Cross-site scripting (XSS) vulnerability in Open Source Point of Sale v3.4.1 allows remote atta
5477	CVE-2025-66921	0.21%	42.8th	7.2	This Cross-site scripting (XSS) vulnerability in Open Source Point of Sale v3.4.1 allows remote atta
5478	CVE-2025-67725	0.21%	42.9th	7.5	A denial-of-service vulnerability in Tornado web framework allows a single malicious HTTP request to
5479	CVE-2025-11727	0.21%	42.9th	7.2	This stored XSS vulnerability in the Omnichannel for WooCommerce plugin allows unauthenticated attac
5480	CVE-2024-57086	0.21%	42.8th	7.5	This CVE describes a prototype pollution vulnerability in the fieldsToJson function of node-opcua-al
5481	CVE-2024-57084	0.21%	42.8th	7.5	This CVE describes a prototype pollution vulnerability in dot-properties v1.0.1's lib.parse function
5482	CVE-2024-57071	0.21%	42.8th	7.5	A prototype pollution vulnerability in php-parser's lib.combine function allows attackers to manipul
5483	CVE-2024-57069	0.21%	42.8th	7.5	This vulnerability is a prototype pollution flaw in expand-object v0.4.2 that allows attackers to in
5484	CVE-2024-57063	0.21%	42.8th	7.5	This vulnerability is a prototype pollution flaw in php-date-formatter v1.3.6 that allows attackers
5485	CVE-2025-30218	0.21%	42.5th	5.9	This Next.js vulnerability allows the x-middleware-subrequest-id header to be unintentionally leaked
5486	CVE-2025-45997	0.21%	42.7th	8.6	This vulnerability allows attackers to upload malicious PHP files disguised as images to the Web-bas
5487	CVE-2025-47244	0.21%	42.7th	7.3	This vulnerability in Inedo ProGet allows remote attackers to access restricted functionality throug
5488	CVE-2024-58135	0.21%	42.8th	5.3	Mojolicious applications created with 'mojo generate app' from version 7.28 use weak HMAC session co
5489	CVE-2025-7692	0.21%	42.8th	8.1	The Orion Login with SMS WordPress plugin has an authentication bypass vulnerability that allows una
5490	CVE-2025-5060	0.21%	42.8th	8.1	The Bravis User plugin for WordPress has an authentication bypass vulnerability that allows unauthen
5491	CVE-2025-8802	0.21%	42.7th	5.3	A denial-of-service vulnerability in Open5GS SMF component allows remote attackers to crash the serv
5492	CVE-2024-41177	0.21%	42.7th	6.1	Apache Zeppelin versions before 0.12.0 have an incomplete blacklist that fails to properly sanitize
5493	CVE-2025-58133	0.21%	42.8th	5.3	An authentication bypass vulnerability in Zoom Rooms Clients allows unauthenticated attackers to acc
5494	CVE-2025-52867	0.21%	42.7th	6.5	An uncontrolled resource consumption vulnerability in Qsync Central allows authenticated remote atta
5495	CVE-2025-44012	0.21%	42.7th	6.5	A resource exhaustion vulnerability in Qsync Central allows authenticated attackers to consume syste
5496	CVE-2025-44006	0.21%	42.7th	6.5	This vulnerability in Qsync Central allows authenticated remote attackers to perform resource exhaus
5497	CVE-2025-33040	0.21%	42.7th	6.5	This vulnerability in Qsync Central allows authenticated remote attackers to allocate resources with
5498	CVE-2025-33039	0.21%	42.7th	6.5	This vulnerability in Qsync Central allows authenticated remote attackers to exhaust system resource
5499	CVE-2022-50694	0.21%	42.8th	9.8	This SQL injection vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco systems allows attackers to bypass
5500	CVE-2023-53960	0.21%	42.8th	9.8	This SQL injection vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x allows attackers to by

← Previous Page 110 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free