Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 5951 | CVE-2024-56251 |
|
40.3th | 4.3 | This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Event Espresso 4 Decaf, a Wo | |
| 5952 | CVE-2025-25192 |
|
40.4th | 6.5 | CVE-2025-25192 allows low-privileged users in GLPI to enable debug mode, potentially exposing sensit | |
| 5953 | CVE-2025-2767 |
|
40.4th | 9.6 | This critical vulnerability in Arista NG Firewall allows remote attackers to execute arbitrary code | |
| 5954 | CVE-2025-32360 |
|
40.3th | 4.2 | This vulnerability in Zammad allows logged-in customers to view and manipulate shared article drafts | |
| 5955 | CVE-2025-22924 |
|
40.3th | 8.8 | CVE-2025-22924 is a SQL injection vulnerability in OS4ED openSIS versions 7.0 through 9.1 that allow | |
| 5956 | CVE-2025-0668 |
|
40.3th | 9.8 | This CVE describes a stored cross-site scripting (XSS) vulnerability in BOINC Server that allows att | |
| 5957 | CVE-2025-3921 |
|
40.4th | 8.2 | The PeproDev Ultimate Profile Solutions WordPress plugin has an authentication bypass vulnerability | |
| 5958 | CVE-2025-50819 |
|
40.3th | 7.1 | A directory traversal vulnerability in beiyuouo arxiv-daily allows attackers to read arbitrary files | |
| 5959 | CVE-2026-1729 |
|
40.3th | 9.8 | This critical vulnerability in the AdForest WordPress theme allows unauthenticated attackers to bypa | |
| 5960 | CVE-2025-57614 |
|
40.3th | 7.5 | An integer overflow and invalid input vulnerability in rust-ffmpeg's cached method allows attackers | |
| 5961 | CVE-2025-11746 |
|
40.4th | 8.8 | The XStore WordPress theme contains a Local File Inclusion vulnerability that allows authenticated a | |
| 5962 | CVE-2024-57681 |
|
40.3th | 5.3 | An access control vulnerability in D-Link DIR-816 routers allows unauthenticated attackers to modify | |
| 5963 | CVE-2025-0482 |
|
40.1th | 7.3 | This critical vulnerability in Fanli2012 native-php-cms 1.0 allows attackers to bypass authenticatio | |
| 5964 | CVE-2025-22139 |
|
40.1th | 6.1 | A reflected cross-site scripting (XSS) vulnerability exists in WeGIA's configuracao_geral.php endpoi | |
| 5965 | CVE-2024-55411 |
|
40.3th | 8.8 | This vulnerability in SUNIX Multi I/O Card driver allows attackers with local access to perform arbi | |
| 5966 | CVE-2025-1166 |
|
40.1th | 6.3 | CVE-2025-1166 is a critical unrestricted file upload vulnerability in SourceCodester Food Menu Manag | |
| 5967 | CVE-2024-13403 |
|
40.1th | 6.4 | This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i | |
| 5968 | CVE-2025-31625 |
|
40.2th | 7.1 | This stored cross-site scripting (XSS) vulnerability in the Useinfluence WordPress plugin allows att | |
| 5969 | CVE-2025-31615 |
|
40.2th | 7.1 | This stored cross-site scripting (XSS) vulnerability in the Simple Contact Forms WordPress plugin al | |
| 5970 | CVE-2025-23995 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the Tantyyellow WordPress theme allows at | |
| 5971 | CVE-2025-22767 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 5972 | CVE-2025-22575 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the SUPER RESPONSIVE SLIDER WordPress plu | |
| 5973 | CVE-2025-22566 |
|
40.2th | 7.1 | This is a reflected cross-site scripting (XSS) vulnerability in the ULTIMATE VIDEO GALLERY WordPress | |
| 5974 | CVE-2025-22501 |
|
40.2th | 7.1 | This is a reflected cross-site scripting (XSS) vulnerability in the Improve My City WordPress plugin | |
| 5975 | CVE-2025-22360 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP A | |
| 5976 | CVE-2025-22356 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the Stencies WordPress plugin allows atta | |
| 5977 | CVE-2024-51624 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 5978 | CVE-2025-31102 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into Bob Hostel WordPress plugin pag | |
| 5979 | CVE-2025-28890 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Ligh | |
| 5980 | CVE-2025-28889 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the Custom Product Stickers for Woocommer | |
| 5981 | CVE-2025-28882 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into Omnify WordPress plugin pages t | |
| 5982 | CVE-2025-28880 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Blue | |
| 5983 | CVE-2025-28877 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Key4 | |
| 5984 | CVE-2025-28869 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Next | |
| 5985 | CVE-2025-28865 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP C | |
| 5986 | CVE-2025-28858 |
|
40.2th | 7.1 | This is a reflected cross-site scripting (XSS) vulnerability in the Arrow Maps WordPress plugin that | |
| 5987 | CVE-2025-28855 |
|
40.2th | 7.1 | This is a reflected cross-site scripting (XSS) vulnerability in the Teleport WordPress plugin that a | |
| 5988 | CVE-2025-27014 |
|
40.2th | 7.1 | This is a reflected cross-site scripting (XSS) vulnerability in the Hostiko WordPress theme that all | |
| 5989 | CVE-2025-39594 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Arig | |
| 5990 | CVE-2025-39567 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the Shamalli Web Directory Free WordPress | |
| 5991 | CVE-2025-39558 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 5992 | CVE-2025-39521 |
|
40.2th | 7.1 | A reflected cross-site scripting (XSS) vulnerability in the Contact Form vCard Generator WordPress p | |
| 5993 | CVE-2025-39464 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the AdminQuickbar WordPress plugin allows | |
| 5994 | CVE-2025-39420 |
|
40.2th | 7.1 | This stored cross-site scripting (XSS) vulnerability in the WP Twitter Button WordPress plugin allow | |
| 5995 | CVE-2025-32670 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Spar | |
| 5996 | CVE-2025-32651 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into SERPed.net WordPress plugin pag | |
| 5997 | CVE-2025-32646 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Ques | |
| 5998 | CVE-2025-32638 |
|
40.2th | 7.1 | This stored cross-site scripting (XSS) vulnerability in the ShopApper WordPress plugin allows attack | |
| 5999 | CVE-2025-32630 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into WP-BusinessDirectory WordPress | |
| 6000 | CVE-2025-32625 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Mobi |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free