Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6401	CVE-2025-48980	0.05%	16th	6.5	This vulnerability in Brave Browser Desktop allows SameSite=Strict cookies to be sent during cross-s
6402	CVE-2025-53533	0.05%	16.2th	6.1	Pi-hole Admin Interface versions 6.2.1 and earlier contain a reflected cross-site scripting (XSS) vu
6403	CVE-2025-60729	0.05%	16.2th	5.3	PerfreeBlog v4.0.11 contains an arbitrary file read vulnerability in the validThemeFilePath function
6404	CVE-2025-9978	0.05%	15.9th	6.8	The Jeg Kit for Elementor WordPress plugin before version 2.7.0 fails to sanitize SVG file contents
6405	CVE-2025-56007	0.05%	16.1th	6.5	This CRLF injection vulnerability in KeeneticOS allows attackers to add unauthorized administrative
6406	CVE-2025-62597	0.05%	16.1th	6.1	WeGIA versions before 3.5.1 contain a reflected cross-site scripting (XSS) vulnerability in the edit
6407	CVE-2025-10194	0.05%	16.1th	6.4	This stored XSS vulnerability in the WordPress Shortcode Button plugin allows authenticated attacker
6408	CVE-2025-10141	0.05%	16.1th	6.4	The Digiseller WordPress plugin has a stored XSS vulnerability in all versions up to 1.3.0. Authenti
6409	CVE-2025-10140	0.05%	16.1th	6.4	The Quick Social Login WordPress plugin has a stored XSS vulnerability in all versions up to 1.4.6.
6410	CVE-2025-10139	0.05%	16.1th	6.4	The WP BookWidgets WordPress plugin has a stored XSS vulnerability in its 'bw_link' shortcode that a
6411	CVE-2025-10135	0.05%	16.2th	6.4	The WP ViewSTL WordPress plugin has a stored XSS vulnerability that allows authenticated attackers w
6412	CVE-2025-10133	0.05%	16.2th	6.4	The URLYar URL Shortener WordPress plugin has a stored XSS vulnerability that allows authenticated a
6413	CVE-2025-10132	0.05%	16.2th	6.4	The Dhivehi Text WordPress plugin has a stored XSS vulnerability in all versions up to 0.1. Authenti
6414	CVE-2025-11161	0.05%	16.2th	6.4	The WPBakery Page Builder WordPress plugin has a stored XSS vulnerability in the vc_custom_heading s
6415	CVE-2025-11160	0.05%	16.2th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
6416	CVE-2025-8561	0.05%	16.1th	6.4	The Ova Advent WordPress plugin has a stored XSS vulnerability in all versions up to 1.1.7. Authenti
6417	CVE-2025-66278	0.05%	16.2th	6.5	A path traversal vulnerability in QNAP File Station 5 allows authenticated attackers to read arbitra
6418	CVE-2025-58470	0.05%	16.2th	6.5	A path traversal vulnerability in Qsync Central allows authenticated attackers to read arbitrary fil
6419	CVE-2025-58467	0.05%	16.2th	6.5	A relative path traversal vulnerability in Qsync Central allows authenticated attackers to read arbi
6420	CVE-2025-55248	0.05%	16th	4.8	This vulnerability involves inadequate encryption strength in .NET, .NET Framework, and Visual Studi
6421	CVE-2025-42901	0.05%	16.2th	5.4	CVE-2025-42901 is a stored cross-site scripting (XSS) vulnerability in SAP Application Server for AB
6422	CVE-2025-31992	0.05%	16th	4.6	HCL Unica MaxAI Assistant has a HTML injection vulnerability where attackers can inject malicious HT
6423	CVE-2025-10190	0.05%	16.1th	6.4	The WP Easy Toggles WordPress plugin has a stored cross-site scripting vulnerability that allows aut
6424	CVE-2025-10167	0.05%	16.1th	6.4	This stored XSS vulnerability in the Stock History & Reports Manager for WooCommerce WordPress plugi
6425	CVE-2025-11197	0.05%	16.1th	6.4	The Draft List WordPress plugin has a stored XSS vulnerability in versions up to 2.6.1 that allows a
6426	CVE-2025-9560	0.05%	16.1th	6.4	The Colibri Page Builder WordPress plugin has a stored XSS vulnerability in its newsletter shortcode
6427	CVE-2025-7781	0.05%	16.2th	6.4	The WP JobHunt plugin for WordPress (used by JobCareer theme) has a stored XSS vulnerability in the
6428	CVE-2025-11570	0.05%	16.1th	4.6	This vulnerability allows cross-site scripting (XSS) attacks in the drupal-pattern-lab/unified-twig-
6429	CVE-2025-9371	0.05%	16.2th	6.4	The Betheme WordPress theme has a stored XSS vulnerability in the page_title parameter that allows a
6430	CVE-2025-60299	0.05%	16.2th	5.4	An authenticated user in Novel-Plus 5.2.0 can inject malicious JavaScript via the replyContent param
6431	CVE-2025-60298	0.05%	16.1th	5.4	Novel-Plus up to version 5.2.4 contains a stored XSS vulnerability in the /author/updateIndexName en
6432	CVE-2025-60961	0.05%	16.2th	6.1	This Cross-Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server
6433	CVE-2025-61681	0.05%	16.2th	5.4	KUNO CMS versions 1.3.13 and below contain a stored cross-site scripting (XSS) vulnerability in the
6434	CVE-2025-9876	0.05%	16.2th	6.4	The Ird Slider WordPress plugin has a stored cross-site scripting vulnerability that allows authenti
6435	CVE-2025-9859	0.05%	16.2th	6.4	The Fintelligence Calculator WordPress plugin has a stored XSS vulnerability in all versions up to 1
6436	CVE-2025-9854	0.05%	16.2th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
6437	CVE-2025-9206	0.05%	16.1th	6.4	The Meks Easy Maps WordPress plugin has a stored cross-site scripting vulnerability in versions up t
6438	CVE-2025-9130	0.05%	16.1th	6.4	The Unify WordPress plugin has a stored cross-site scripting vulnerability that allows authenticated
6439	CVE-2025-9129	0.05%	16.1th	6.4	The Flexi WordPress plugin has a stored XSS vulnerability in its flexi-form-tag shortcode that allow
6440	CVE-2025-9077	0.05%	16.2th	6.4	This stored XSS vulnerability in Ultra Addons Lite for Elementor allows authenticated attackers with
6441	CVE-2025-8776	0.05%	16.1th	6.4	The Epic Bootstrap Buttons WordPress plugin has a stored XSS vulnerability in all versions up to 1.0
6442	CVE-2025-27236	0.05%	16.2th	6.5	A Zabbix API vulnerability allows authenticated users to search other users in their group and acces
6443	CVE-2025-10192	0.05%	16.1th	6.4	The WP Photo Effects WordPress plugin has a stored XSS vulnerability in all versions up to 1.2.4. Au
6444	CVE-2025-56154	0.05%	16.2th	6.1	htmly v3.0.8 contains a reflected cross-site scripting (XSS) vulnerability in the /author/:name endp
6445	CVE-2025-12760	0.05%	15.9th	5.4	This vulnerability allows attackers to bypass two-factor authentication (2FA) in Drupal's Email TFA
6446	CVE-2025-60674	0.05%	16.2th	6.8	A stack buffer overflow vulnerability in D-Link DIR-878A1 router firmware allows attackers with phys
6447	CVE-2025-60782	0.05%	16.2th	5.4	PHP Education Manager v1.0 has a stored XSS vulnerability in the topics management module where atta
6448	CVE-2025-66422	0.05%	15.9th	4.3	This vulnerability in Tryton's trytond server allows remote attackers to obtain sensitive trace-back
6449	CVE-2025-13770	0.05%	16.2th	6.5	WebITR software developed by Uniong contains a SQL injection vulnerability that allows authenticated
6450	CVE-2025-13769	0.05%	16.2th	6.5	CVE-2025-13769 is a SQL injection vulnerability in WebITR software developed by Uniong. Authenticate

← Previous Page 129 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free