Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6201	CVE-2024-9334	0.18%	39.6th	8.2	This vulnerability in E-Kent Pallium Vehicle Tracking software allows attackers to bypass authentica
6202	CVE-2025-24407	0.18%	39.5th	7.1	Adobe Commerce has an incorrect authorization vulnerability (CWE-863) that allows low-privileged att
6203	CVE-2025-24373	0.18%	39.5th	6.5	This vulnerability allows unauthorized users to access any PDF invoice or packing slip from a WooCom
6204	CVE-2024-8765	0.18%	39.5th	7.3	This vulnerability allows unauthenticated attackers to bypass authentication in lunary-ai/lunary by
6205	CVE-2024-44227	0.18%	39.5th	7.5	This CVE describes a memory handling vulnerability in Apple operating systems that could allow a mal
6206	CVE-2025-1848	0.18%	39.5th	6.3	This critical vulnerability in zj1983 zz software allows attackers to perform Server-Side Request Fo
6207	CVE-2025-1847	0.18%	39.5th	6.3	This CVE describes an improper authorization vulnerability in zj1983 zz software up to version 2024-
6208	CVE-2025-1833	0.18%	39.5th	6.3	This critical SSRF vulnerability in zj1983 zz software allows attackers to manipulate the 'url' para
6209	CVE-2025-23119	0.18%	39.5th	7.5	This CVE describes an Improper Neutralization of Escape Sequences vulnerability in UniFi Protect Cam
6210	CVE-2025-25453	0.18%	39.6th	4.6	This vulnerability allows attackers to cause a buffer overflow in Tenda AC10 routers via the AdvSetM
6211	CVE-2023-43037	0.18%	39.6th	6.5	This vulnerability in IBM Maximo Application Suite allows authenticated users to perform unauthorize
6212	CVE-2025-47947	0.18%	39.5th	7.5	ModSecurity versions up to 2.9.8 are vulnerable to a denial-of-service attack when processing JSON p
6213	CVE-2025-32926	0.18%	39.5th	9.8	This path traversal vulnerability in the Grand Restaurant WordPress theme allows attackers to access
6214	CVE-2025-46828	0.18%	39.5th	9.8	An unauthenticated SQL injection vulnerability in WeGIA versions up to 3.3.0 allows attackers to exe
6215	CVE-2026-1603	0.18%	39.5th	8.6	An authentication bypass vulnerability in Ivanti Endpoint Manager allows remote unauthenticated atta
6216	CVE-2025-26186	0.18%	39.5th	8.1	This SQL injection vulnerability in openSIS v9.1 allows remote attackers to execute arbitrary SQL co
6217	CVE-2025-22403	0.18%	39.5th	9.8	This critical vulnerability in Android's Bluetooth stack allows remote attackers to execute arbitrar
6218	CVE-2025-49554	0.18%	39.5th	7.5	Adobe Commerce has an improper input validation vulnerability (CWE-20) that allows unauthenticated a
6219	CVE-2025-58369	0.18%	39.6th	5.3	This CVE describes a denial-of-service vulnerability in fs2, a Scala streaming I/O library, where TL
6220	CVE-2020-37082	0.18%	39.5th	9.8	CVE-2020-37082 is an unauthenticated file access vulnerability in webERP 4.15.1 that allows remote a
6221	CVE-2024-9126	0.18%	39.5th	7.5	This CVE describes a use-after-free vulnerability in Google Chrome on iOS that could allow heap corr
6222	CVE-2026-0933	0.18%	39.5th	9.9	A command injection vulnerability in Wrangler's `pages deploy` command allows attackers who control
6223	CVE-2025-14901	0.18%	39.5th	6.5	This vulnerability allows unauthenticated attackers to replay form workflow executions in the Bit Fo
6224	CVE-2024-56404	0.18%	39.4th	9.9	An insecure direct object reference (IDOR) vulnerability in One Identity Identity Manager 9.x before
6225	CVE-2025-0565	0.18%	39.4th	7.3	CVE-2025-0565 is a critical SQL injection vulnerability in ZZCMS 2023 that allows remote attackers t
6226	CVE-2024-10498	0.18%	39.4th	6.5	This CVE describes a buffer overflow vulnerability in Schneider Electric devices that allows unautho
6227	CVE-2025-0465	0.18%	39.4th	7.3	A critical deserialization vulnerability in AquilaCMS allows remote attackers to execute arbitrary c
6228	CVE-2024-56238	0.18%	39.4th	5.3	This CVE describes a missing authorization vulnerability in the QuantumCloud Floating Action Buttons
6229	CVE-2024-12284	0.18%	39.4th	8.8	This vulnerability allows authenticated users on NetScaler Console and NetScaler Agent to escalate t
6230	CVE-2025-30155	0.18%	39.4th	4.3	Tuleap's REST API fails to enforce read permissions on parent trackers, allowing authenticated users
6231	CVE-2025-31547	0.18%	39.5th	8.5	This SQL injection vulnerability in the Uptime Robot Plugin for WordPress allows attackers to execut
6232	CVE-2025-31542	0.18%	39.5th	8.5	This SQL injection vulnerability in the WordPress My Auctions Allegro plugin allows attackers to exe
6233	CVE-2025-31526	0.18%	39.5th	8.5	This SQL injection vulnerability in the Behance Portfolio Manager WordPress plugin allows attackers
6234	CVE-2025-31466	0.18%	39.5th	8.5	This SQL injection vulnerability in Falcon Solutions' Duplicate Page and Post WordPress plugin allow
6235	CVE-2025-30819	0.18%	39.5th	8.5	This SQL injection vulnerability in the Simple Giveaways WordPress plugin allows attackers to execut
6236	CVE-2025-30810	0.18%	39.5th	8.5	This SQL injection vulnerability in the Lead Form Data Collection to CRM WordPress plugin allows att
6237	CVE-2025-30806	0.18%	39.5th	8.5	This SQL injection vulnerability in the Vimeotheque WordPress plugin allows attackers to execute arb
6238	CVE-2025-30784	0.18%	39.5th	8.5	This SQL injection vulnerability in WP Shuffle WP Subscription Forms allows attackers to execute arb
6239	CVE-2025-30775	0.18%	39.5th	8.5	This SQL injection vulnerability in WPGuppy WordPress plugin allows attackers to execute arbitrary S
6240	CVE-2025-30225	0.18%	39.4th	5.3	This vulnerability in Directus's S3 storage driver allows attackers to cause denial of service for a
6241	CVE-2025-29789	0.18%	39.4th	7.5	OpenEMR versions before 7.3.0 contain a directory traversal vulnerability in the Load Code feature t
6242	CVE-2025-30348	0.18%	39.4th	5.8	This vulnerability in Qt's QDom XML processing allows an attacker to cause a denial of service throu
6243	CVE-2024-9437	0.18%	39.5th	7.5	SuperAGI v0.0.14 is vulnerable to an unauthenticated Denial of Service attack where attackers can cr
6244	CVE-2024-10935	0.18%	39.5th	7.5	CVE-2024-10935 is a denial-of-service vulnerability in automatic1111/stable-diffusion-webui where ma
6245	CVE-2025-2376	0.18%	39.4th	7.3	CVE-2025-2376 is a critical deserialization vulnerability in viames Pair Framework's PHP Object Hand
6246	CVE-2024-13844	0.18%	39.4th	4.9	The Post SMTP WordPress plugin contains a SQL injection vulnerability in the 'columns' parameter tha
6247	CVE-2024-12036	0.18%	39.4th	7.5	The CS Framework plugin for WordPress has an arbitrary file read vulnerability that allows authentic
6248	CVE-2025-39569	0.18%	39.5th	8.5	This SQL injection vulnerability in Taskbuilder WordPress plugin allows attackers to execute arbitra
6249	CVE-2025-32558	0.18%	39.5th	8.5	This SQL injection vulnerability in the WordPress Duplicate Title Checker plugin allows attackers to
6250	CVE-2025-32148	0.18%	39.5th	8.5	This SQL injection vulnerability in the Daisycon prijsvergelijkers WordPress plugin allows attackers

← Previous Page 125 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free