Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
5601	CVE-2025-14173	0.06%	18.4th	5.3	The Perfit WooCommerce plugin for WordPress has a missing authorization vulnerability that allows un
5602	CVE-2025-37179	0.06%	18.3th	5.3	Multiple out-of-bounds read vulnerabilities in a system component that handles data buffers. Insuffi
5603	CVE-2025-13717	0.06%	18.5th	5.3	This vulnerability allows unauthenticated attackers to export sensitive Contact Form 7 submission da
5604	CVE-2026-20973	0.06%	18.3th	5.3	An out-of-bounds read vulnerability in libimagecodec.quram.so allows remote attackers to access memo
5605	CVE-2025-15237	0.06%	18.2th	4.3	CVE-2025-15237 is an absolute path traversal vulnerability in QOCA aim AI Medical Cloud Platform tha
5606	CVE-2025-15236	0.06%	18.2th	4.3	QOCA aim AI Medical Cloud Platform has an absolute path traversal vulnerability that allows authenti
5607	CVE-2026-0577	0.06%	18.4th	6.3	CVE-2026-0577 is an unrestricted file upload vulnerability in code-projects Online Product Reservati
5608	CVE-2025-58190	0.06%	18.2th	5.3	CVE-2025-58190 is a denial-of-service vulnerability in Go's html.Parse function that causes infinite
5609	CVE-2025-47911	0.06%	18.2th	5.3	This vulnerability in Go's html.Parse function allows attackers to cause denial of service by provid
5610	CVE-2025-63617	0.06%	18.4th	6.5	This vulnerability allows remote code execution through unsafe fastjson deserialization in ktg-mes s
5611	CVE-2025-69203	0.06%	18.4th	6.3	Signal K Server versions before 2.19.0 have vulnerabilities that allow attackers to craft convincing
5612	CVE-2025-22996	0.06%	18.1th	4.8	A stored cross-site scripting (XSS) vulnerability in the Linksys E5600 router's spf_table_content co
5613	CVE-2025-26963	0.06%	17.8th	5.4	This CSRF vulnerability in the ClickWhale WordPress plugin allows attackers to trick authenticated a
5614	CVE-2025-25768	0.06%	18th	5.4	MRCMS v3.1.2 contains a server-side template injection vulnerability in DispatcherServlet.java that
5615	CVE-2025-1441	0.06%	18.1th	6.1	This CSRF vulnerability in the Royal Elementor Addons WordPress plugin allows attackers to inject ma
5616	CVE-2025-25527	0.06%	18th	5.1	A buffer overflow vulnerability in Ruijie RG-NBR2600S Gateway allows attackers to crash the device o
5617	CVE-2025-25525	0.06%	18th	5.1	A buffer overflow vulnerability in H3C FA3010L access points allows attackers to crash devices or ex
5618	CVE-2024-12619	0.06%	18.1th	5.2	This vulnerability allows authenticated internal users in GitLab to bypass access controls and view
5619	CVE-2025-46578	0.06%	17.9th	6.5	SQL injection vulnerabilities in GoldenDB database interfaces allow attackers to execute arbitrary S
5620	CVE-2025-46654	0.06%	17.9th	4.9	CVE-2025-46654 is a cross-site scripting (XSS) vulnerability in CodiMD that allows attackers to bypa
5621	CVE-2025-5325	0.06%	18th	6.3	This critical vulnerability in zhilink ADP Application Developer Platform 1.0.0 allows remote attack
5622	CVE-2025-5178	0.06%	18th	6.3	This critical vulnerability in Realce Tecnologia Queue Ticket Kiosk allows remote attackers to uploa
5623	CVE-2025-47942	0.06%	18th	5.3	The Open edX Platform allows unauthorized users to download python_lib.zip files from courses, which
5624	CVE-2025-39460	0.06%	18th	5.3	This CVE describes a missing authorization vulnerability in the Eduma WordPress theme that allows at
5625	CVE-2025-39373	0.06%	18th	5.3	This CVE describes a Missing Authorization vulnerability in the JNews WordPress theme that allows un
5626	CVE-2025-39353	0.06%	18th	5.3	This CVE describes a missing authorization vulnerability in the Grand Restaurant WordPress theme tha
5627	CVE-2025-48282	0.06%	18th	5.3	This CVE describes a Missing Authorization vulnerability in the Majestic Support WordPress plugin th
5628	CVE-2025-32296	0.06%	18th	5.3	This CVE describes a missing authorization vulnerability in the quantumcloud Simple Link Directory P
5629	CVE-2025-31071	0.06%	18th	5.3	This CVE describes a missing authorization vulnerability in the HotStar WordPress theme that allows
5630	CVE-2025-31066	0.06%	18th	5.3	This CVE describes a missing authorization vulnerability in the Acerola WordPress theme that allows
5631	CVE-2024-8009	0.06%	18.2th	4.3	The Sensei LMS WordPress plugin before version 4.20.0 exposes all user email addresses to teachers o
5632	CVE-2024-56006	0.06%	18th	5.3	This CVE describes a missing authorization vulnerability in the Jetpack Debug Tools WordPress plugin
5633	CVE-2025-47709	0.06%	18.1th	6.5	This CVE describes a Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal t
5634	CVE-2025-24021	0.06%	17.9th	5.0	This vulnerability in iTop allows authenticated users with portal access to modify object fields the
5635	CVE-2025-47486	0.06%	18th	5.3	This CVE describes a Missing Authorization vulnerability in the CyberChimps Gutenberg & Elementor Te
5636	CVE-2025-47457	0.06%	18.2th	5.3	This CVE describes a missing authorization vulnerability in the LocateAndFilter WordPress plugin tha
5637	CVE-2025-49996	0.06%	18.1th	5.3	This CVE describes a missing authorization vulnerability in the WP Visitor Statistics WordPress plug
5638	CVE-2025-49988	0.06%	18.1th	5.3	This vulnerability allows attackers to bypass authorization controls in the Renzo Contact Form 7 AWe
5639	CVE-2025-49593	0.06%	18th	6.8	Portainer Community Edition versions before STS 2.31.0 and LTS 2.27.7 contain an information disclos
5640	CVE-2024-40570	0.06%	18.1th	6.5	This CVE describes an SQL injection vulnerability in SeaCMS v.12.9 that allows a remote attacker to
5641	CVE-2025-5766	0.06%	18th	4.3	CVE-2025-5766 is a Cross-Site Request Forgery (CSRF) vulnerability in code-projects Laundry System 1
5642	CVE-2025-48888	0.06%	18.1th	5.3	This CVE describes a permission precedence vulnerability in Deno where 'deny' flags don't properly o
5643	CVE-2025-8369	0.06%	18th	4.3	This is a reflected cross-site scripting (XSS) vulnerability in Portabilis i-Educar 2.9 that allows
5644	CVE-2025-8367	0.06%	18th	4.3	A reflected cross-site scripting (XSS) vulnerability exists in Portabilis i-Educar 2.9 where the 'no
5645	CVE-2025-43212	0.06%	17.8th	6.5	A memory handling vulnerability in Apple WebKit (CWE-119) allows malicious web content to cause Safa
5646	CVE-2025-30959	0.06%	18th	6.5	This CVE describes a missing authorization vulnerability in WPFactory's Product XML Feed Manager for
5647	CVE-2025-2540	0.06%	18.2th	6.4	This stored XSS vulnerability in WordPress plugins allows authenticated attackers with contributor-l
5648	CVE-2025-50405	0.06%	18.1th	6.5	The Intelbras RX1500 Router firmware versions up to v2.2.17 have incorrect access control in the Fir
5649	CVE-2025-43827	0.06%	17.8th	4.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DX
5650	CVE-2025-46149	0.06%	17.9th	5.3	This CVE describes an assertion error vulnerability in PyTorch's nn.Fold module when using the induc

← Previous Page 113 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free