Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6351	CVE-2025-49684	0.05%	16th	5.5	This vulnerability is a buffer over-read in the Storage Port Driver that allows an authenticated att
6352	CVE-2025-49658	0.05%	16th	5.5	This vulnerability allows a local authenticated attacker to read memory outside the intended buffer
6353	CVE-2025-7182	0.05%	16th	4.3	This vulnerability allows attackers to inject malicious scripts into the Student Transcript Processi
6354	CVE-2024-37658	0.05%	16.2th	6.1	An open redirect vulnerability in gnuboard5 v5.5.16 allows attackers to redirect users to malicious
6355	CVE-2025-7078	0.05%	16.2th	4.3	This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in 07FLYCMS, 07FLY-CMS, and 07F
6356	CVE-2025-46259	0.05%	16.1th	5.4	This CVE describes a missing authorization vulnerability in The Plus Addons for Elementor Pro WordPr
6357	CVE-2025-55371	0.05%	16.2th	5.3	This vulnerability in jshERP v3.5 allows unauthorized attackers to access sensitive handler informat
6358	CVE-2025-55367	0.05%	16.2th	5.3	This vulnerability allows unauthorized attackers to modify supplier status information in jshERP v3.
6359	CVE-2025-55366	0.05%	16.2th	5.3	This vulnerability in jshERP v3.5 allows attackers to bypass access controls in the UserController c
6360	CVE-2025-8023	0.05%	16.1th	6.8	This vulnerability allows system administrators in Mattermost to perform path traversal attacks by m
6361	CVE-2025-50515	0.05%	16th	6.5	This vulnerability allows attackers to execute arbitrary code on systems running phome Empirebak 201
6362	CVE-2025-55675	0.05%	16th	6.5	Apache Superset has an improper access control vulnerability where authenticated users can enumerate
6363	CVE-2025-49743	0.05%	16.1th	6.7	A race condition vulnerability in Microsoft Graphics Component allows authenticated attackers to esc
6364	CVE-2025-8580	0.05%	16th	4.3	This vulnerability allows attackers to create deceptive UI elements in Chrome through crafted HTML p
6365	CVE-2025-51308	0.05%	16.2th	5.3	In Gatling Enterprise versions below 1.25.0, low-privileged users without admin roles can access rea
6366	CVE-2025-8620	0.05%	16.1th	5.3	The GiveWP WordPress plugin up to version 4.6.0 exposes donor information including names, emails, a
6367	CVE-2025-54477	0.05%	16.1th	5.3	This vulnerability allows attackers to enumerate valid usernames in Joomla's passkey authentication
6368	CVE-2025-8624	0.05%	16.2th	6.4	The Nexa Blocks WordPress plugin has a stored XSS vulnerability in its Google Maps widget that allow
6369	CVE-2025-8623	0.05%	16.1th	6.4	The WeedMaps Menu for WordPress plugin has a stored XSS vulnerability that allows authenticated atta
6370	CVE-2025-8608	0.05%	16.2th	6.4	The Mihdan: Elementor Yandex Maps WordPress plugin has a stored XSS vulnerability that allows authen
6371	CVE-2025-8566	0.05%	16.2th	6.4	The GutenBee WordPress plugin has a stored XSS vulnerability in its CountUp and Google Maps blocks.
6372	CVE-2025-8560	0.05%	16.1th	6.4	The FancyTabs WordPress plugin has a stored XSS vulnerability in the 'title' parameter that allows a
6373	CVE-2025-10196	0.05%	16.1th	6.4	The Survey Anyplace WordPress plugin has a stored XSS vulnerability in its 'surveyanyplace_embed' sh
6374	CVE-2025-10191	0.05%	16.1th	6.4	This stored XSS vulnerability in the Big Post Shipping for WooCommerce WordPress plugin allows authe
6375	CVE-2025-10189	0.05%	16.2th	6.4	The BP Direct Menus WordPress plugin has a stored XSS vulnerability in all versions up to 1.0.0. Aut
6376	CVE-2025-10182	0.05%	16.2th	6.4	The dbview WordPress plugin has a stored XSS vulnerability in versions up to 0.5.5 that allows authe
6377	CVE-2025-10179	0.05%	16.2th	6.4	The My AskAI WordPress plugin has a stored XSS vulnerability in all versions up to 1.0.0. Authentica
6378	CVE-2025-10168	0.05%	16.1th	6.4	The Any News Ticker WordPress plugin has a stored XSS vulnerability that allows authenticated attack
6379	CVE-2025-10131	0.05%	16.2th	6.4	The All Social Share Options WordPress plugin has a stored XSS vulnerability that allows authenticat
6380	CVE-2025-10130	0.05%	16.1th	6.4	The Layers WordPress plugin has a stored XSS vulnerability in its 'webcam' shortcode that allows aut
6381	CVE-2025-10128	0.05%	16.2th	6.4	This stored XSS vulnerability in the Eulerpool Research Systems WordPress plugin allows authenticate
6382	CVE-2025-11147	0.05%	16.2th	5.4	This reflected cross-site scripting (XSS) vulnerability in Apt-Cacher-NG allows attackers to inject
6383	CVE-2025-11146	0.05%	16.2th	5.4	CVE-2025-11146 is a reflected cross-site scripting vulnerability in Apt-Cacher-NG's web management i
6384	CVE-2025-10346	0.05%	16.1th	6.1	This CVE describes a stored HTML injection vulnerability in Perfex CRM v3.2.1 that allows attackers
6385	CVE-2025-10345	0.05%	16.1th	6.1	This CVE describes a stored HTML injection vulnerability in Perfex CRM v3.2.1 where attackers can in
6386	CVE-2025-10344	0.05%	16.1th	6.1	Perfex CRM v3.2.1 has a stored HTML injection vulnerability that allows attackers to inject maliciou
6387	CVE-2025-10343	0.05%	16.1th	6.1	This CVE describes a stored HTML injection vulnerability in Perfex CRM v3.2.1 where attackers can in
6388	CVE-2025-10342	0.05%	16.1th	6.1	A stored HTML injection vulnerability in Perfex CRM v3.2.1 allows attackers to inject malicious HTML
6389	CVE-2025-8440	0.05%	16.1th	6.4	The Team Members WordPress plugin has a stored XSS vulnerability in first and last name fields due t
6390	CVE-2025-10136	0.05%	16.2th	6.4	The TweetThis Shortcode WordPress plugin has a stored XSS vulnerability that allows authenticated at
6391	CVE-2025-8906	0.05%	16.2th	6.4	The Widgets for Tiktok Feed WordPress plugin has a stored cross-site scripting vulnerability in all
6392	CVE-2025-8200	0.05%	16.1th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
6393	CVE-2025-60249	0.05%	16.2th	6.4	CVE-2025-60249 is a cross-site scripting (XSS) vulnerability in vulnerability-lookup 2.16.0 that all
6394	CVE-2025-10879	0.05%	16.1th	5.3	Dingtian DT-R002 devices have an insufficiently protected credentials vulnerability that allows unau
6395	CVE-2025-8902	0.05%	16.2th	6.4	The Widget Options - Extended WordPress plugin has a stored XSS vulnerability in all versions up to
6396	CVE-2025-58673	0.05%	16th	5.4	This CVE describes a code injection vulnerability in the WP User Frontend WordPress plugin that allo
6397	CVE-2025-58234	0.05%	16.2th	6.5	This stored cross-site scripting (XSS) vulnerability in JoomSky JS Job Manager allows attackers to i
6398	CVE-2025-58025	0.05%	16.2th	6.5	This stored cross-site scripting (XSS) vulnerability in the Master Slider WordPress plugin allows at
6399	CVE-2025-57981	0.05%	16.2th	6.5	This stored XSS vulnerability in the WP Social Widget WordPress plugin allows attackers to inject ma
6400	CVE-2025-58616	0.05%	16.1th	6.5	CVE-2025-58616 is a missing authorization vulnerability in Frisbii Pay WordPress plugin that allows

← Previous Page 128 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free