Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 6051 | CVE-2025-26746 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages through the Advanced | |
| 6052 | CVE-2025-22263 |
|
40.2th | 7.1 | This CVE describes a reflected cross-site scripting (XSS) vulnerability in the Global Gallery WordPr | |
| 6053 | CVE-2025-3608 |
|
40.1th | 6.5 | A race condition in Firefox's nsHttpTransaction component could allow memory corruption, potentially | |
| 6054 | CVE-2025-26992 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the Landing Page Cat WordPress plugin all | |
| 6055 | CVE-2025-26954 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the ZooE | |
| 6056 | CVE-2025-32600 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the Tournamatch WordPress plugin allows a | |
| 6057 | CVE-2025-32551 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 6058 | CVE-2025-32541 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 6059 | CVE-2025-32538 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Easy | |
| 6060 | CVE-2025-32536 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the HTML5 Video Player with Playlist Word | |
| 6061 | CVE-2025-32525 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Inte | |
| 6062 | CVE-2025-32523 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the WooCommerce Payphone Gateway plugin a | |
| 6063 | CVE-2025-32517 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the SCAND MultiMailer WordPress plugin al | |
| 6064 | CVE-2025-31378 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Opps | |
| 6065 | CVE-2025-31021 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 6066 | CVE-2025-27350 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Vice | |
| 6067 | CVE-2025-32116 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Stud | |
| 6068 | CVE-2025-32114 |
|
40.2th | 7.1 | This CVE describes a reflected cross-site scripting (XSS) vulnerability in the 5sterrenspecialist Wo | |
| 6069 | CVE-2025-32543 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Cano | |
| 6070 | CVE-2025-31394 |
|
40.2th | 7.1 | This stored cross-site scripting (XSS) vulnerability in the WordPress More Mime Type Filters plugin | |
| 6071 | CVE-2025-29870 |
|
40.1th | 7.5 | Missing authentication vulnerability in Wi-Fi AP UNIT 'AC-WPS-11ac series' allows remote unauthentic | |
| 6072 | CVE-2025-32117 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Widg | |
| 6073 | CVE-2025-31416 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the Awesome Event Booking WordPress plugi | |
| 6074 | CVE-2025-31384 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages through the Aviplugin | |
| 6075 | CVE-2025-31905 |
|
40.2th | 7.1 | This is a reflected cross-site scripting (XSS) vulnerability in the Team Rosters WordPress plugin th | |
| 6076 | CVE-2025-31902 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Soci | |
| 6077 | CVE-2025-31900 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Lexi | |
| 6078 | CVE-2025-31898 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Medi | |
| 6079 | CVE-2025-31626 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Supp | |
| 6080 | CVE-2025-31582 |
|
40.2th | 7.1 | This stored cross-site scripting (XSS) vulnerability in the Contact Form vCard Generator WordPress p | |
| 6081 | CVE-2025-31573 |
|
40.2th | 7.1 | This stored cross-site scripting (XSS) vulnerability in the PeproDev CF7 Database WordPress plugin a | |
| 6082 | CVE-2025-31468 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP_I | |
| 6083 | CVE-2025-31442 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages through the Search en | |
| 6084 | CVE-2025-30858 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into Snow Storm WordPress plugin pag | |
| 6085 | CVE-2025-30611 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Wpto | |
| 6086 | CVE-2025-31594 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Auto | |
| 6087 | CVE-2025-31571 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by The Logo | |
| 6088 | CVE-2025-31537 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Bulk | |
| 6089 | CVE-2025-31461 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the NanoSupport WordPress plugin allows a | |
| 6090 | CVE-2025-31454 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Dele | |
| 6091 | CVE-2025-31445 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Page | |
| 6092 | CVE-2025-31431 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into WP Bookmarks WordPress plugin p | |
| 6093 | CVE-2025-31085 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the xili | |
| 6094 | CVE-2025-31078 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Smal | |
| 6095 | CVE-2025-30906 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Getn | |
| 6096 | CVE-2025-30852 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Orac | |
| 6097 | CVE-2025-30924 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 6098 | CVE-2025-30902 |
|
40.2th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the ATL Software SRL AEC Kiosque WordPres | |
| 6099 | CVE-2025-30840 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the xili | |
| 6100 | CVE-2025-30808 |
|
40.2th | 7.1 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Abou |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free