Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6451	CVE-2025-31209	0.17%	38.6th	6.3	An out-of-bounds read vulnerability in Apple operating systems allows attackers to disclose user inf
6452	CVE-2024-13009	0.17%	38.6th	7.2	This vulnerability in Eclipse Jetty allows incorrect buffer release during gzip decompression errors
6453	CVE-2025-4270	0.17%	38.5th	5.3	This vulnerability in TOTOLINK A720R routers allows remote attackers to access sensitive system conf
6454	CVE-2025-30184	0.17%	38.6th	9.8	CVE-2025-30184 allows unauthenticated attackers to bypass authentication and access the CyberData 01
6455	CVE-2025-8450	0.17%	38.5th	8.2	An improper access control vulnerability in Fortra's FileCatalyst Workflow component allows unauthen
6456	CVE-2025-8979	0.17%	38.5th	6.6	This vulnerability in Tenda AC15 routers allows attackers to bypass firmware update authentication c
6457	CVE-2023-7315	0.17%	38.6th	5.4	Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Graph Explorer
6458	CVE-2023-7314	0.17%	38.6th	5.4	Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Bandwidth Repor
6459	CVE-2023-7313	0.17%	38.6th	5.4	Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Bulk Modificati
6460	CVE-2025-62868	0.17%	38.5th	8.1	This CVE describes a PHP Local File Inclusion vulnerability in the Edge CPT WordPress plugin, allowi
6461	CVE-2025-11023	0.17%	38.5th	9.8	This CVE describes a PHP Local File Inclusion vulnerability in ArkSigner's AcBakImzala software that
6462	CVE-2025-62029	0.17%	38.5th	8.1	This vulnerability allows attackers to include arbitrary local files through improper filename contr
6463	CVE-2025-59564	0.17%	38.5th	8.1	This vulnerability allows attackers to include local files on the server through improper filename c
6464	CVE-2025-59555	0.17%	38.5th	8.1	This vulnerability allows attackers to include local files on the server through improper filename c
6465	CVE-2025-59246	0.17%	38.6th	9.8	This critical vulnerability in Azure Entra ID (formerly Azure Active Directory) allows attackers to
6466	CVE-2025-62014	0.17%	38.5th	8.1	This vulnerability allows attackers to include and execute arbitrary PHP files on servers running th
6467	CVE-2025-60198	0.17%	38.5th	8.1	This vulnerability allows attackers to include local files on the server through improper filename c
6468	CVE-2025-53252	0.17%	38.5th	9.8	This vulnerability allows attackers to include local PHP files through improper filename control in
6469	CVE-2025-48290	0.17%	38.5th	9.8	This CVE describes a PHP Local File Inclusion vulnerability in the Kinsley WordPress theme. Attacker
6470	CVE-2025-60262	0.17%	38.5th	9.8	A vsftpd misconfiguration vulnerability in H3C wireless devices allows anonymous FTP uploads to be o
6471	CVE-2026-24905	0.17%	38.5th	7.8	CVE-2026-24905 is a command injection vulnerability in Inspektor Gadget's image building functionali
6472	CVE-2024-42168	0.17%	38.4th	8.9	HCL MyXalytics has an out-of-band resource load vulnerability where attackers can host malicious web
6473	CVE-2024-13212	0.17%	38.4th	6.3	This critical vulnerability in SingMR HouseRent 1.0 allows remote attackers to upload arbitrary file
6474	CVE-2024-35532	0.17%	38.4th	9.1	An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea allows attackers to read
6475	CVE-2024-37451	0.17%	38.4th	4.3	This CSRF vulnerability in the Rara Theme Travel Agency WordPress theme allows attackers to trick au
6476	CVE-2024-37435	0.17%	38.4th	4.3	This CSRF vulnerability in the Rara Theme Perfect Portfolio WordPress theme allows attackers to tric
6477	CVE-2024-37093	0.17%	38.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the MasterStudy LMS WordPress plugin allows att
6478	CVE-2024-54169	0.17%	38.4th	6.5	This vulnerability allows authenticated attackers to perform directory traversal attacks on IBM Enti
6479	CVE-2023-34398	0.17%	38.4th	7.5	A null pointer dereference vulnerability in the Boost library used by Mercedes-Benz NTG6 head units
6480	CVE-2025-25197	0.17%	38.4th	5.4	This Cross-Site Scripting (XSS) vulnerability in Silverstripe Elemental allows attackers to inject m
6481	CVE-2025-25213	0.17%	38.5th	6.5	This vulnerability allows clickjacking attacks on Wi-Fi AP UNIT 'AC-WPS-11ac series' devices. Attack
6482	CVE-2025-3170	0.17%	38.4th	7.3	A critical SQL injection vulnerability in Project Worlds Online Lawyer Management System 1.0 allows
6483	CVE-2024-11267	0.17%	38.4th	8.8	The JSP Store Locator WordPress plugin version 1.0 contains a SQL injection vulnerability due to ins
6484	CVE-2023-31585	0.17%	38.4th	9.8	Grocery-CMS-PHP-Restful-API v1.3 has an unrestricted file upload vulnerability in the /admin/add-cat
6485	CVE-2025-6561	0.17%	38.4th	9.8	Hunt Electronic HBF-09KD and HBF-16NK hybrid DVR models expose a system configuration file containin
6486	CVE-2025-51005	0.17%	38.4th	7.5	A heap buffer overflow vulnerability in tcpliveplay utility of tcpreplay 4.5.1 allows attackers to c
6487	CVE-2025-27224	0.17%	38.4th	9.8	This vulnerability allows unauthenticated attackers to upload malicious files to arbitrary locations
6488	CVE-2025-63216	0.17%	38.4th	10.0	This vulnerability allows attackers to bypass authentication on Itel DAB Gateway devices by reusing
6489	CVE-2025-67729	0.17%	38.4th	8.8	LMDeploy versions before 0.11.1 have an insecure deserialization vulnerability where torch.load() is
6490	CVE-2025-63389	0.17%	38.4th	9.8	A critical authentication bypass vulnerability in Ollama platform allows remote attackers to perform
6491	CVE-2025-64053	0.17%	38.4th	7.5	A buffer overflow vulnerability in Fanvil x210 VoIP phones running firmware 2.12.20 allows attackers
6492	CVE-2023-6425	0.17%	38.4th	6.3	This vulnerability allows attackers to inject malicious JavaScript into the BigProf Online Clinic Ma
6493	CVE-2021-34668	0.17%	38.4th	6.4	This vulnerability allows author-level users in WordPress to inject malicious JavaScript into folder
6494	CVE-2025-24604	0.17%	38.2th	5.4	This CVE describes a missing authorization vulnerability in the VForm WordPress plugin that allows a
6495	CVE-2025-23761	0.17%	38.2th	5.4	This CVE describes a missing authorization vulnerability in the Woo Tuner WordPress plugin that allo
6496	CVE-2025-0311	0.17%	38.3th	6.4	This stored XSS vulnerability in the Orbit Fox WordPress plugin allows authenticated attackers with
6497	CVE-2023-47807	0.17%	38.3th	4.3	This CVE describes a missing authorization vulnerability in the 10WebAnalytics WordPress plugin that
6498	CVE-2022-41995	0.17%	38.3th	4.3	This CVE describes a missing authorization vulnerability in the Gallery Images Ape WordPress plugin
6499	CVE-2024-56255	0.17%	38.3th	4.3	This CVE describes a Missing Authorization vulnerability in the AyeCode Connect WordPress plugin tha
6500	CVE-2023-51300	0.17%	38.3th	6.1	PHPJabbers Hotel Booking System v4.0 contains multiple cross-site scripting (XSS) vulnerabilities in

← Previous Page 130 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free