Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 6151 | CVE-2025-57772 |
|
39.9th | 9.8 | This vulnerability allows remote code execution in DataEase BI tools through a JDBC URL bypass. Atta | |
| 6152 | CVE-2025-54813 |
|
39.9th | 7.5 | This vulnerability in Apache Log4cxx's JSONLayout allows attackers to inject non-printable character | |
| 6153 | CVE-2025-11254 |
|
39.9th | 4.3 | This CSV injection vulnerability in the Contest Gallery WordPress plugin allows unauthenticated atta | |
| 6154 | CVE-2025-48633 |
|
39.9th | 5.5 | KEV | This vulnerability in Android's DevicePolicyManagerService allows an attacker to add a Device Owner |
| 6155 | CVE-2025-14206 |
|
40th | 6.5 | This vulnerability in SourceCodester Online Student Clearance System 1.0 allows attackers to bypass | |
| 6156 | CVE-2025-65806 |
|
40th | 4.3 | This vulnerability in E-POINT CMS allows attackers to upload nested ZIP archives containing executab | |
| 6157 | CVE-2025-13374 |
|
39.9th | 9.8 | The Kalrav AI Agent WordPress plugin allows unauthenticated attackers to upload arbitrary files due | |
| 6158 | CVE-2025-24017 |
|
39.9th | 7.6 | YesWiki versions up to 4.4.5 contain a DOM-based cross-site scripting (XSS) vulnerability in the tag | |
| 6159 | CVE-2025-23208 |
|
39.8th | 7.3 | CVE-2025-23208 is an authorization bypass vulnerability in Zot OCI image registry where group member | |
| 6160 | CVE-2024-12614 |
|
39.8th | 7.5 | The Passwords Manager WordPress plugin up to version 1.4.8 lacks proper authorization checks, allowi | |
| 6161 | CVE-2025-22495 |
|
39.9th | 8.4 | An improper input validation vulnerability in the NTP server configuration field of Eaton Network-M2 | |
| 6162 | CVE-2024-56000 |
|
39.8th | 9.8 | CVE-2024-56000 is an incorrect privilege assignment vulnerability in SeventhQueen's K Elements WordP | |
| 6163 | CVE-2024-52612 |
|
39.8th | 6.8 | SolarWinds Platform contains a reflected cross-site scripting vulnerability that allows authenticate | |
| 6164 | CVE-2024-13643 |
|
39.8th | 8.8 | The Zox News WordPress theme has a vulnerability that allows authenticated users with Subscriber-lev | |
| 6165 | CVE-2025-24278 |
|
39.8th | 5.5 | A symlink validation vulnerability in macOS allows applications to bypass file system protections an | |
| 6166 | CVE-2025-31679 |
|
39.9th | 6.1 | This Cross-Site Scripting (XSS) vulnerability in Drupal's Ignition Error Pages module allows attacke | |
| 6167 | CVE-2025-27015 |
|
39.9th | 7.5 | This vulnerability allows attackers to include local files on the server through improper filename c | |
| 6168 | CVE-2024-8501 |
|
39.8th | 8.8 | This vulnerability allows any user to download arbitrary files from the rpc_agent's host system by e | |
| 6169 | CVE-2025-25589 |
|
39.8th | 8.1 | This XXE injection vulnerability in yimioa's XML parsing component allows attackers to execute arbit | |
| 6170 | CVE-2025-26696 |
|
39.9th | 7.0 | This vulnerability in Thunderbird email client incorrectly displays signed OpenPGP messages as encry | |
| 6171 | CVE-2025-32379 |
|
39.9th | 5.0 | This vulnerability in Koa.js allows cross-site scripting (XSS) attacks when untrusted user input is | |
| 6172 | CVE-2025-30303 |
|
39.8th | 5.5 | Adobe Framemaker versions 2020.8, 2022.6 and earlier contain an out-of-bounds read vulnerability tha | |
| 6173 | CVE-2025-27202 |
|
39.8th | 5.5 | Adobe Animate versions 24.0.7, 23.0.10 and earlier contain an out-of-bounds read vulnerability that | |
| 6174 | CVE-2025-27186 |
|
39.8th | 5.5 | Adobe After Effects versions 25.1, 24.6.4 and earlier contain an out-of-bounds read vulnerability th | |
| 6175 | CVE-2025-27184 |
|
39.8th | 5.5 | CVE-2025-27184 is an out-of-bounds read vulnerability in Adobe After Effects that could allow an att | |
| 6176 | CVE-2025-5720 |
|
39.9th | 6.4 | This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress websi | |
| 6177 | CVE-2025-12907 |
|
39.8th | 8.8 | This vulnerability allows remote attackers to execute arbitrary code on affected Chrome browsers thr | |
| 6178 | CVE-2025-12197 |
|
39.8th | 7.5 | The Events Calendar WordPress plugin versions 6.15.1.1 through 6.15.9 contain a blind SQL injection | |
| 6179 | CVE-2025-48631 |
|
39.8th | 6.5 | This vulnerability in Android's LocalImageResolver component allows remote attackers to cause persis | |
| 6180 | CVE-2025-13801 |
|
39.8th | 7.5 | The Yoco Payments WordPress plugin contains a path traversal vulnerability that allows unauthenticat | |
| 6181 | CVE-2025-68620 |
|
39.8th | 9.1 | Signal K Server versions before 2.19.0 allow unauthenticated attackers to steal JWT authentication t | |
| 6182 | CVE-2026-25069 |
|
39.8th | N/A | SunFounder Pironman Dashboard versions 1.3.13 and earlier contain an unauthenticated path traversal | |
| 6183 | CVE-2024-7577 |
|
39.6th | 4.4 | IBM InfoSphere Information Server 11.7 may expose sensitive user credentials in log files during new | |
| 6184 | CVE-2024-55029 |
|
39.7th | 6.1 | NASA Fprime v3.4.3 contains multiple cross-site scripting (XSS) vulnerabilities that allow attackers | |
| 6185 | CVE-2025-2744 |
|
39.6th | 5.4 | This critical vulnerability in ruoyi-vue-pro 2.4.1 allows attackers to perform path traversal attack | |
| 6186 | CVE-2025-25871 |
|
39.6th | 8.0 | A privilege escalation vulnerability in Open Panel v0.3.4 allows remote attackers to gain elevated p | |
| 6187 | CVE-2024-13895 |
|
39.7th | 4.3 | The Code Snippets CPT WordPress plugin allows authenticated attackers with Subscriber-level access o | |
| 6188 | CVE-2020-36844 |
|
39.7th | 6.1 | This vulnerability allows reflected cross-site scripting (XSS) attacks in KnowBe4 Security Awareness | |
| 6189 | CVE-2025-29015 |
|
39.7th | 6.1 | Code Astro Internet Banking System 2.0.0 contains a stored cross-site scripting vulnerability in the | |
| 6190 | CVE-2025-29710 |
|
39.7th | 6.1 | SourceCodester Company Website CMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in | |
| 6191 | CVE-2025-32230 |
|
39.7th | 4.3 | This vulnerability allows attackers to inject malicious HTML/JavaScript into Tutor LMS web pages thr | |
| 6192 | CVE-2025-3245 |
|
39.7th | 6.3 | This critical SQL injection vulnerability in itsourcecode Library Management System 1.0 allows attac | |
| 6193 | CVE-2025-30354 |
|
39.7th | 4.3 | A sandbox bypass vulnerability in Bruno IDE allows malicious API collection files to execute arbitra | |
| 6194 | CVE-2025-8578 |
|
39.7th | 8.8 | This use-after-free vulnerability in Chrome's Cast component allows attackers to potentially exploit | |
| 6195 | CVE-2025-11120 |
|
39.7th | 8.8 | A buffer overflow vulnerability in Tenda AC8 routers allows remote attackers to execute arbitrary co | |
| 6196 | CVE-2025-10358 |
|
39.6th | 7.3 | This CVE describes a remote command injection vulnerability in Wavlink WL-WN578W2 routers. Attackers | |
| 6197 | CVE-2025-11339 |
|
39.7th | 8.8 | A buffer overflow vulnerability in D-Link DI-7100G C1 routers allows remote attackers to execute arb | |
| 6198 | CVE-2025-20354 |
|
39.6th | 9.8 | This critical vulnerability in Cisco Unified CCX allows unauthenticated remote attackers to upload a | |
| 6199 | CVE-2021-47752 |
|
39.6th | 7.5 | CVE-2021-47752 is a denial of service vulnerability in AWebServer GhostBuilding 18 that allows remot | |
| 6200 | CVE-2025-24169 |
|
39.5th | 7.5 | This vulnerability allows malicious applications to bypass browser extension authentication in Safar |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free