Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6601	CVE-2025-29512	0.17%	38th	6.1	A stored Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and earlier allows attackers to i
6602	CVE-2025-39571	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the WPXPO WowStore WordPress plugin that
6603	CVE-2025-32212	0.17%	37.9th	6.5	This CVE describes a missing authorization vulnerability in the Specia Companion WordPress plugin th
6604	CVE-2025-31004	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the Croover.inc Rich Table of Contents W
6605	CVE-2025-32358	0.17%	38th	4.0	This vulnerability allows authenticated admin users in Zammad to perform Server-Side Request Forgery
6606	CVE-2025-32277	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the RepairBuddy WordPress plugin that al
6607	CVE-2025-32239	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the GetSocial.io WordPress plugin that a
6608	CVE-2025-32237	0.17%	37.9th	4.3	A missing authorization vulnerability in Stylemix MasterStudy LMS WordPress plugin allows attackers
6609	CVE-2025-32234	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the AdMail WordPress plugin that allows
6610	CVE-2025-32232	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the ERA404 StaffList WordPress plugin th
6611	CVE-2025-32229	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the Bowo Variable Inspector WordPress pl
6612	CVE-2025-31541	0.17%	37.9th	6.5	This CVE describes a missing authorization vulnerability in the TuriTop Booking System WordPress plu
6613	CVE-2025-31525	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the WP Mobile Bottom Menu WordPress plug
6614	CVE-2025-31886	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the Repuso Social Proof Testimonials and
6615	CVE-2025-31865	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the CartBoss SMS Abandoned Cart Recovery
6616	CVE-2025-31846	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the Theater for WordPress plugin that al
6617	CVE-2025-31831	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the AtomChat WordPress plugin that allow
6618	CVE-2025-31799	0.17%	37.9th	4.3	CVE-2025-31799 is a missing authorization vulnerability in the Publitio WordPress plugin that allows
6619	CVE-2025-31732	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the GB Gallery Slideshow WordPress plugi
6620	CVE-2025-43567	0.17%	37.9th	9.3	Adobe Connect versions 12.8 and earlier contain a reflected Cross-Site Scripting (XSS) vulnerability
6621	CVE-2024-8419	0.17%	38th	7.5	This vulnerability allows unauthorized remote attackers to trigger a fail-safe state on affected sys
6622	CVE-2025-36529	0.17%	38th	7.2	This CVE describes an OS command injection vulnerability in TB-eye network recorders and AHD recorde
6623	CVE-2025-7797	0.17%	38.1th	5.3	A null pointer dereference vulnerability in GPAC's DASH client allows remote attackers to cause deni
6624	CVE-2025-52983	0.17%	37.9th	7.2	This vulnerability allows network-based, unauthenticated attackers to gain root access to Juniper Ju
6625	CVE-2025-56426	0.17%	38th	6.5	A remote code execution vulnerability in WebKul Bagisto v2.3.6 allows attackers to execute arbitrary
6626	CVE-2025-43889	0.17%	37.9th	5.3	Dell PowerProtect Data Domain systems running vulnerable DD OS versions contain a path traversal vul
6627	CVE-2025-11227	0.17%	38th	6.5	The GiveWP WordPress plugin has an information disclosure vulnerability that allows unauthenticated
6628	CVE-2025-65946	0.17%	37.9th	8.1	CVE-2025-65946 is a command injection vulnerability in Roo Code AI coding agent versions before 3.26
6629	CVE-2025-11921	0.17%	38th	N/A	CVE-2025-11921 is a privilege escalation vulnerability in iStats (iStat Menus) where local unprivile
6630	CVE-2025-59118	0.17%	38th	7.3	This vulnerability allows attackers to upload malicious files to Apache OFBiz servers, potentially l
6631	CVE-2024-58338	0.17%	38th	10.0	Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke
6632	CVE-2025-13972	0.17%	38th	4.9	The WatchTowerHQ WordPress plugin contains an arbitrary file read vulnerability that allows authenti
6633	CVE-2025-65814	0.17%	38th	6.5	CVE-2025-65814 is a directory traversal vulnerability in RHOPHI Analytics LLP Office App-Edit Word v
6634	CVE-2025-65573	0.17%	37.9th	8.8	A Cross-Site Request Forgery (CSRF) vulnerability in AllskyTeam AllSky software allows attackers to
6635	CVE-2026-2082	0.17%	38th	4.7	This CVE describes an OS command injection vulnerability in D-Link DIR-823X routers. Attackers can r
6636	CVE-2026-24307	0.17%	38th	9.3	This vulnerability in M365 Copilot allows unauthorized attackers to access sensitive information ove
6637	CVE-2026-24058	0.17%	38th	9.8	Soft Serve versions 0.11.2 and below have a critical authentication bypass vulnerability that allows
6638	CVE-2025-47283	0.17%	38th	9.9	A privilege escalation vulnerability in Gardener allows project administrators to gain control over
6639	CVE-2025-68707	0.17%	38th	8.8	An authentication bypass vulnerability in Tongyu AX1800 Wi-Fi 6 Router firmware allows attackers on
6640	CVE-2025-56424	0.17%	38th	7.5	This vulnerability in Insiders Technologies GmbH e-invoice pro allows remote attackers to cause deni
6641	CVE-2025-12543	0.17%	38th	9.6	CVE-2025-12543 is a critical vulnerability in Undertow HTTP server core where improper Host header v
6642	CVE-2025-24293	0.17%	37.9th	N/A	This CVE describes a command injection vulnerability in Active Storage when used with image_processi
6643	CVE-2025-22605	0.17%	37.9th	7.8	This vulnerability allows authenticated users in Coolify to execute arbitrary code on the Coolify co
6644	CVE-2025-21620	0.17%	37.9th	7.5	Deno's fetch() redirect handling leaks Authorization headers to unintended domains when following cr
6645	CVE-2023-23672	0.17%	37.8th	5.4	CVE-2023-23672 is a missing authorization vulnerability in the GiveWP WordPress plugin that allows a
6646	CVE-2022-45811	0.17%	37.8th	5.4	CVE-2022-45811 is a missing authorization vulnerability in the WordPress Post Teaser plugin that all
6647	CVE-2024-56257	0.17%	37.8th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in the CoolPlugins Coins MarketCap WordPress
6648	CVE-2024-56302	0.17%	37.8th	6.5	This stored cross-site scripting (XSS) vulnerability in the ConvertCalculator WordPress plugin allow
6649	CVE-2024-56263	0.17%	37.8th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the GS Shots for Dribbble WordPress plugi
6650	CVE-2024-56261	0.17%	37.8th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Project Showcase plugin allows

← Previous Page 133 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free