Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
5451	CVE-2025-0194	0.06%	18.4th	6.5	This vulnerability in GitLab CE/EE could expose access tokens in application logs under specific API
5452	CVE-2025-0513	0.06%	18.3th	5.4	CVE-2025-0513 is a cross-site scripting (XSS) vulnerability in Octopus Server where unsafe handling
5453	CVE-2025-20898	0.06%	18.3th	4.6	This vulnerability in Samsung Members app allows physical attackers to bypass user profile isolation
5454	CVE-2025-21870	0.06%	18.2th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's Sound Open Firmware (SOF) subsystem c
5455	CVE-2025-0183	0.06%	18.4th	5.4	A stored XSS vulnerability in binary-husky/gpt_academic's Latex Proof-Reading Module allows attacker
5456	CVE-2024-47573	0.06%	18.4th	6.5	This vulnerability allows authenticated attackers with Read/Write system maintenance permissions to
5457	CVE-2025-2125	0.06%	18.4th	4.3	This vulnerability in Control iD RH iD allows attackers to manipulate resource identifiers through t
5458	CVE-2025-4017	0.06%	18.2th	4.3	This vulnerability in Novel-Plus allows unauthorized access to log viewing functionality due to impr
5459	CVE-2025-46470	0.06%	18.4th	4.3	This CVE describes a Missing Authorization vulnerability in the WordPress Smart Hashtags plugin that
5460	CVE-2025-39385	0.06%	18.4th	4.3	This CVE describes a Missing Authorization vulnerability in the Sirat WordPress theme that allows at
5461	CVE-2025-29568	0.06%	18.2th	4.8	This vulnerability in code-projects Online Class and Exam Scheduling System 1.0 allows attackers to
5462	CVE-2025-4598	0.06%	18.2th	4.7	This vulnerability in systemd-coredump allows attackers to exploit a race condition to access privil
5463	CVE-2025-5259	0.06%	18.4th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
5464	CVE-2025-5122	0.06%	18.4th	6.4	The Map Block Leaflet WordPress plugin has a stored XSS vulnerability in the 'url' parameter that al
5465	CVE-2024-11185	0.06%	18.4th	6.5	This vulnerability in Arista EOS allows Layer 2 traffic to improperly cross VLAN boundaries, breakin
5466	CVE-2025-39498	0.06%	18.4th	5.3	This vulnerability in the Spotlight Social Media Feeds Premium WordPress plugin allows attackers to
5467	CVE-2025-5170	0.06%	18.3th	6.3	This critical SQL injection vulnerability in llisoft MTA Maita Training System 4.5 allows remote att
5468	CVE-2025-5132	0.06%	18.3th	4.3	This CSRF vulnerability in Tmall Demo allows attackers to trick authenticated administrators into pe
5469	CVE-2025-23182	0.06%	18.3th	4.3	CVE-2025-23182 is an observable discrepancy vulnerability (CWE-203) that allows attackers to infer s
5470	CVE-2025-48056	0.06%	18.5th	5.3	This CVE describes an injection vulnerability in Hubble CLI where network attackers can inject malic
5471	CVE-2025-4905	0.06%	18.4th	5.3	This vulnerability allows local attackers to execute arbitrary code through unsafe deserialization i
5472	CVE-2025-1286	0.06%	18.3th	6.1	This vulnerability in the Download HTML TinyMCE Button WordPress plugin allows attackers to inject m
5473	CVE-2024-13828	0.06%	18.3th	6.1	The Badgearoo WordPress plugin through version 1.0.14 contains a reflected cross-site scripting (XSS
5474	CVE-2024-12733	0.06%	18.3th	6.1	This vulnerability in the AffiliateImporterEb WordPress plugin allows attackers to inject malicious
5475	CVE-2024-12726	0.06%	18.3th	6.1	The ClipArt WordPress plugin through version 0.2 contains a reflected cross-site scripting (XSS) vul
5476	CVE-2025-44183	0.06%	18.3th	6.1	CVE-2025-44183 is a stored cross-site scripting (XSS) vulnerability in Phpgurukul Vehicle Record Man
5477	CVE-2025-44181	0.06%	18.3th	6.1	This stored XSS vulnerability in Phpgurukul Vehicle Record Management System v1.0 allows attackers t
5478	CVE-2025-29690	0.06%	18.3th	6.1	This cross-site scripting (XSS) vulnerability in OA System allows attackers to inject malicious scri
5479	CVE-2025-29688	0.06%	18.3th	6.1	A stored cross-site scripting (XSS) vulnerability in OA System allows attackers to inject malicious
5480	CVE-2025-47635	0.06%	18.4th	5.5	This Server-Side Request Forgery (SSRF) vulnerability in WPWebinarSystem WebinarPress allows attacke
5481	CVE-2025-29602	0.06%	18.3th	6.1	FlatPress 1.3.1 contains a cross-site scripting vulnerability in the administration panel's category
5482	CVE-2025-4374	0.06%	18.4th	6.5	A privilege escalation vulnerability in Quay container registry allows users or robots to gain admin
5483	CVE-2024-13845	0.06%	18.3th	5.5	The Gravity Forms WebHooks plugin for WordPress has a Server-Side Request Forgery vulnerability that
5484	CVE-2025-6233	0.06%	18.3th	6.8	This vulnerability allows system administrators in Mattermost to read arbitrary files on the server
5485	CVE-2025-7552	0.06%	18.4th	6.3	This critical vulnerability in Dromara Northstar allows attackers to bypass authorization controls b
5486	CVE-2025-7175	0.06%	18.3th	6.3	This critical vulnerability in code-projects E-Commerce Site 1.0 allows remote attackers to upload a
5487	CVE-2023-32246	0.06%	18.3th	5.5	A race condition vulnerability in the Linux kernel's ksmbd (SMB server) module allows unintended ker
5488	CVE-2023-43687	0.06%	18.5th	6.5	A race condition vulnerability in Malwarebytes and Nebula products allows attackers to execute arbit
5489	CVE-2025-11060	0.06%	18.4th	5.7	This vulnerability in the SurrealDB database engine allows record or guest users to observe unauthor
5490	CVE-2025-60186	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the Google+ Comments WordPress plugin allows
5491	CVE-2025-60185	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the kontur Admin Style WordPress plugin allo
5492	CVE-2025-60184	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the SEO Search Permalink WordPress plugin al
5493	CVE-2025-60179	0.06%	18.3th	5.9	This stored XSS vulnerability in the Space Studio Click & Tweet WordPress plugin allows attackers to
5494	CVE-2025-60160	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the Smart Related Products WordPress plugin
5495	CVE-2025-60158	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the Nota Fiscal Eletrônica WooCommerce Word
5496	CVE-2025-60149	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the Notely WordPress plugin allows attackers
5497	CVE-2025-60146	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress Map Categories to Pages plugin
5498	CVE-2025-60144	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the Lenix scss compiler WordPress plugin all
5499	CVE-2025-60141	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in The Tribal WordPress plugin allows attackers
5500	CVE-2025-60136	0.06%	18.3th	5.9	This stored cross-site scripting (XSS) vulnerability in the cartpauj User Notes WordPress plugin all

← Previous Page 110 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free