Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
5551	CVE-2025-58835	0.06%	18.3th	5.3	This vulnerability in the Bonus for Woo WordPress plugin allows attackers to bypass access controls
5552	CVE-2025-36361	0.06%	18.2th	6.3	This vulnerability in IBM App Connect Enterprise allows authenticated users to perform unauthorized
5553	CVE-2025-11741	0.06%	18.2th	5.3	The WPC Smart Quick View for WooCommerce WordPress plugin has an information disclosure vulnerabilit
5554	CVE-2025-55091	0.06%	18.2th	6.5	This vulnerability in NetX Duo's _nx_ip_packet_receive() function allows an attacker to cause an out
5555	CVE-2025-61933	0.06%	18.3th	6.1	A reflected cross-site scripting (XSS) vulnerability in BIG-IP APM allows attackers to execute malic
5556	CVE-2025-31996	0.06%	18.5th	5.3	HCL Unica Platform has improper access controls that leave files unprotected, potentially exposing s
5557	CVE-2025-52616	0.06%	18.5th	5.3	HCL Unica 12.1.10 exposes sensitive system information that could help attackers plan targeted attac
5558	CVE-2025-11438	0.06%	18.5th	6.3	This CVE describes a missing authorization vulnerability in JhumanJ OpnForm's API endpoint at /custo
5559	CVE-2025-61999	0.06%	18.3th	4.3	OPEXUS FOIAXpress versions before 11.13.3.0 contain a stored cross-site scripting (XSS) vulnerabilit
5560	CVE-2025-61998	0.06%	18.3th	4.3	This vulnerability allows administrative users in OPEXUS FOIAXpress to inject malicious JavaScript o
5561	CVE-2025-61997	0.06%	18.3th	4.3	OPEXUS FOIAXpress versions before 11.13.3.0 contain a stored cross-site scripting (XSS) vulnerabilit
5562	CVE-2025-61996	0.06%	18.3th	4.3	This vulnerability allows administrative users in OPEXUS FOIAXpress to inject malicious JavaScript i
5563	CVE-2025-12019	0.06%	18.4th	4.4	The Featured Image WordPress plugin has a stored cross-site scripting vulnerability in versions up t
5564	CVE-2025-65676	0.06%	18.5th	5.4	A stored cross-site scripting (XSS) vulnerability in Classroomio LMS version 0.1.13 allows authentic
5565	CVE-2025-65675	0.06%	18.5th	5.4	A stored cross-site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated att
5566	CVE-2025-63914	0.06%	18.4th	6.5	CVE-2025-63914 is a resource exhaustion vulnerability in Cinnamon kotaemon 0.11.0 where the ZIP file
5567	CVE-2025-63544	0.06%	18.3th	6.1	TechStore 1.0 contains a reflected cross-site scripting vulnerability in the /order_notes endpoint v
5568	CVE-2025-63543	0.06%	18.3th	6.1	TechStore 1.0 contains a reflected cross-site scripting vulnerability in its search functionality. A
5569	CVE-2025-63640	0.06%	18.3th	6.1	CVE-2025-63640 is a stored cross-site scripting (XSS) vulnerability in Sourcecodester Medicine Remin
5570	CVE-2025-63639	0.06%	18.3th	6.1	CVE-2025-63639 is a stored cross-site scripting (XSS) vulnerability in Sourcecodester FAQ Bot with A
5571	CVE-2025-63638	0.06%	18.3th	6.1	CVE-2025-63638 is a stored cross-site scripting (XSS) vulnerability in Sourcecodester AI-Powered To-
5572	CVE-2025-10873	0.06%	18.2th	5.3	The ElementInvader Addons for Elementor WordPress plugin before version 1.4.1 contains an authorizat
5573	CVE-2025-63450	0.06%	18.3th	5.4	Car-Booking-System-PHP v1.0 contains a cross-site scripting (XSS) vulnerability in the booking.php e
5574	CVE-2025-63449	0.06%	18.3th	5.4	Water Management System v1.0 contains a cross-site scripting vulnerability in the /orders.php endpoi
5575	CVE-2025-63448	0.06%	18.3th	6.1	Water Management System v1.0 contains a cross-site scripting vulnerability in the edit_product.php p
5576	CVE-2025-63447	0.06%	18.3th	6.1	Water Management System v1.0 contains a cross-site scripting vulnerability in the /add_customer.php
5577	CVE-2025-63446	0.06%	18.3th	6.1	Water Management System v1.0 contains a cross-site scripting vulnerability in the /add_vendor.php en
5578	CVE-2025-66436	0.06%	18.2th	4.3	An authenticated attacker with access to create or modify Terms and Conditions documents in Frappe E
5579	CVE-2025-66435	0.06%	18.2th	4.3	An authenticated attacker with Contract Template creation/modification privileges can inject malicio
5580	CVE-2025-46266	0.06%	18.4th	4.3	This vulnerability in TeamViewer DEX Client's Content Distribution Service allows attackers to redir
5581	CVE-2025-14286	0.06%	18.3th	5.3	This vulnerability in Tenda AC9 routers allows remote attackers to access configuration files via th
5582	CVE-2025-14198	0.06%	18.3th	5.3	This vulnerability in Verysync 2.21.3 allows remote attackers to access sensitive information throug
5583	CVE-2025-65881	0.06%	18.3th	6.1	CVE-2025-65881 is a Cross-Site Scripting (XSS) vulnerability in Sourcecodester Zoo Management System
5584	CVE-2025-65407	0.06%	18.4th	6.5	This vulnerability is a use-after-free flaw in Live555 Streaming Media's MPEG1or2Demux component tha
5585	CVE-2025-65408	0.06%	18.4th	6.5	This vulnerability allows attackers to cause a denial of service by sending a specially crafted ADTS
5586	CVE-2025-65406	0.06%	18.4th	6.5	A heap overflow vulnerability in Live555 Streaming Media allows attackers to cause denial of service
5587	CVE-2025-65405	0.06%	18.4th	6.5	This vulnerability allows attackers to cause a Denial of Service (DoS) by exploiting a use-after-fre
5588	CVE-2025-65404	0.06%	18.4th	6.5	A buffer overflow vulnerability in Live555 Streaming Media's getSideInfo2() function allows attacker
5589	CVE-2025-65403	0.06%	18.4th	6.5	A buffer overflow vulnerability in LightFTP v2.0's g_cfg.MaxUsers component allows attackers to trig
5590	CVE-2026-2074	0.06%	18.4th	6.3	This XXE vulnerability in O2OA allows attackers to read arbitrary files from the server by sending s
5591	CVE-2026-1054	0.06%	18.4th	5.3	The RegistrationMagic WordPress plugin up to version 6.0.7.4 has a missing authorization vulnerabili
5592	CVE-2025-66199	0.06%	18.3th	5.9	A TLS 1.3 vulnerability in OpenSSL allows attackers to force large memory allocations (up to 22 MiB
5593	CVE-2026-1102	0.06%	18.4th	5.3	This vulnerability in GitLab allows unauthenticated attackers to cause denial of service by sending
5594	CVE-2025-14351	0.06%	18.4th	5.3	This vulnerability in the Custom Fonts WordPress plugin allows unauthenticated attackers to delete f
5595	CVE-2026-22770	0.06%	18.4th	6.5	ImageMagick versions before 7.1.2-13 contain a memory corruption vulnerability in the BilateralBlurI
5596	CVE-2026-2056	0.06%	18.2th	5.3	This vulnerability in D-Link DIR-605L and DIR-619L routers allows remote attackers to access sensiti
5597	CVE-2026-0942	0.06%	18.4th	5.3	This vulnerability allows unauthenticated attackers to delete payment metadata logs from all WooComm
5598	CVE-2026-2055	0.06%	18.2th	5.3	A vulnerability in D-Link DIR-605L and DIR-619L routers allows remote attackers to disclose sensitiv
5599	CVE-2026-2054	0.06%	18.2th	5.3	A security vulnerability in D-Link DIR-605L and DIR-619L routers allows remote attackers to access s
5600	CVE-2025-12895	0.06%	18.4th	5.3	This vulnerability allows unauthenticated attackers to use the Kalium WordPress theme as an open mai

← Previous Page 112 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free