Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6701	CVE-2026-20937	0.05%	15.5th	5.5	This vulnerability allows an authorized attacker with local access to a Windows system to access sen
6702	CVE-2025-53035	0.05%	15.4th	6.5	This vulnerability in Oracle Financial Services Analytical Applications Infrastructure allows authen
6703	CVE-2025-69229	0.05%	15.3th	5.3	AIOHTTP versions 3.13.2 and below contain a vulnerability where handling chunked HTTP messages can c
6704	CVE-2026-20939	0.05%	15.5th	5.5	This vulnerability allows an authorized attacker with local access to a Windows system to access sen
6705	CVE-2025-59111	0.05%	15.5th	6.5	Windu CMS version 4.1 has a broken access control vulnerability in user editing functionality that a
6706	CVE-2025-55621	0.05%	15.4th	6.5	An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauth
6707	CVE-2025-68019	0.05%	15.2th	6.5	This CVE describes a Missing Authorization vulnerability in the SEO Booster WordPress plugin that al
6708	CVE-2025-66373	0.05%	15.6th	4.8	CVE-2025-66373 is an HTTP request smuggling vulnerability in Akamai Ghost on Akamai CDN edge servers
6709	CVE-2025-64148	0.05%	15.4th	4.3	The Jenkins Publish to Bitbucket Plugin before version 0.5 has a missing permission check that allow
6710	CVE-2025-60167	0.05%	15.3th	4.3	This vulnerability in Page Manager for Elementor WordPress plugin exposes sensitive system informati
6711	CVE-2025-59582	0.05%	15.4th	5.3	This vulnerability in the WordPress Ajax Load More plugin allows unauthorized users to retrieve embe
6712	CVE-2025-15482	0.05%	15.4th	5.3	The Chapa Payment Gateway Plugin for WooCommerce exposes sensitive merchant API keys through an unau
6713	CVE-2025-15508	0.05%	15.4th	5.3	The Magic Import Document Extractor WordPress plugin exposes the site's magicimport.ai license key i
6714	CVE-2025-15438	0.05%	15.5th	4.7	This vulnerability in PluXml's Media Management Module allows remote attackers to execute arbitrary
6715	CVE-2025-11581	0.05%	15.5th	5.3	PowerJob versions up to 5.1.2 have an authorization bypass vulnerability in the OpenAPIController's
6716	CVE-2024-53869	0.05%	15.4th	5.5	The NVIDIA Unified Memory driver for Linux contains a vulnerability where an attacker could leak uni
6717	CVE-2025-14856	0.05%	15.5th	6.3	This vulnerability allows remote attackers to execute arbitrary code on RuoYi systems up to version
6718	CVE-2025-57916	0.05%	15.3th	4.3	The WP System Information WordPress plugin versions up to 1.5 expose sensitive system data to unauth
6719	CVE-2022-44759	0.05%	15.3th	4.6	This vulnerability in HCL Leap allows attackers to inject malicious scripts into SVG files, which th
6720	CVE-2024-11922	0.05%	15.3th	6.3	This cross-site scripting (XSS) vulnerability in Fortra's GoAnywhere web client allows authenticated
6721	CVE-2025-57922	0.05%	15.4th	5.3	This vulnerability in the Envíos Coordinadora Woocommerce WordPress plugin exposes sensitive inform
6722	CVE-2025-57923	0.05%	15.4th	5.3	The UK Address Postcode Validation WordPress plugin exposes API keys in sent data, allowing unauthor
6723	CVE-2025-61754	0.05%	15.4th	6.5	This vulnerability in Oracle BI Publisher allows authenticated attackers with low privileges to acce
6724	CVE-2025-52647	0.05%	15.4th	6.1	BigFix WebUI is vulnerable to Host Header Poisoning attacks where attackers can manipulate HTTP Host
6725	CVE-2025-57937	0.05%	15.3th	4.3	This vulnerability in the WPeMatico RSS Feed Fetcher WordPress plugin allows unauthorized users to r
6726	CVE-2025-68558	0.05%	15.2th	6.5	This CVE describes a Missing Authorization vulnerability in the Depicter Slider WordPress plugin tha
6727	CVE-2025-12344	0.05%	15.5th	6.3	This vulnerability in Yonyou U8 Cloud allows attackers to upload arbitrary files without authenticat
6728	CVE-2025-0688	0.05%	15.5th	6.1	This vulnerability allows attackers to execute malicious JavaScript in victims' browsers by tricking
6729	CVE-2025-1364	0.05%	15.3th	5.3	A critical stack-based buffer overflow vulnerability in MicroWord eScan Antivirus 7.0.32 on Linux al
6730	CVE-2025-8344	0.05%	15.4th	6.3	This critical vulnerability in openviglet shio allows remote attackers to upload arbitrary files wit
6731	CVE-2025-62517	0.05%	15.3th	5.9	This CVE describes a prototype pollution vulnerability in Rollbar.js's merge() function when rollbar
6732	CVE-2025-68896	0.05%	15.2th	6.5	This CVE describes a Missing Authorization vulnerability in the WordPress plugin WDV One Page Docs,
6733	CVE-2025-13249	0.05%	15.5th	6.3	This vulnerability allows remote attackers to upload arbitrary files to Jiusi OA systems via the Off
6734	CVE-2025-21572	0.05%	15.3th	6.1	OpenGrok 1.13.25 contains a reflected Cross-Site Scripting (XSS) vulnerability in its history view p
6735	CVE-2025-14348	0.05%	15.2th	5.3	The weMail WordPress plugin has an authorization bypass vulnerability that allows unauthenticated at
6736	CVE-2026-24348	0.05%	15.2th	6.1	Multiple cross-site scripting vulnerabilities in the Admin UI of EZCast Pro II allow attackers to in
6737	CVE-2025-10282	0.05%	15.4th	4.7	BBOT's GitLab module can leak GitLab API keys to attacker-controlled servers through maliciously for
6738	CVE-2025-67724	0.05%	15.5th	5.4	This vulnerability in Tornado web framework allows attackers to inject malicious content into HTTP h
6739	CVE-2025-10749	0.05%	15.4th	5.4	The Microsoft Azure Storage for WordPress plugin has a vulnerability that allows authenticated users
6740	CVE-2025-7491	0.05%	15.3th	6.3	This critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System 1.13 allow
6741	CVE-2025-13949	0.05%	15.5th	6.3	This vulnerability in ProudMuBai GoFilm allows attackers to upload arbitrary files without restricti
6742	CVE-2025-3901	0.05%	15.4th	6.1	This Cross-Site Scripting (XSS) vulnerability in Drupal's Bootstrap Site Alert module allows attacke
6743	CVE-2026-1419	0.05%	15.5th	4.7	This CVE describes a command injection vulnerability in D-Link DCS700l IP cameras running firmware v
6744	CVE-2025-53023	0.05%	15.4th	4.9	This vulnerability in MySQL Server's replication component allows authenticated high-privileged atta
6745	CVE-2025-57202	0.05%	15.4th	6.1	A stored cross-site scripting vulnerability in AVTECH SECURITY Corporation's DGM1104 device allows a
6746	CVE-2025-1719	0.05%	15.3th	5.9	IBM Concert versions 1.0.0 through 2.1.0 contain a heap memory disclosure vulnerability where sensit
6747	CVE-2025-1722	0.05%	15.3th	5.9	IBM Concert versions 1.0.0 through 2.1.0 contain a heap memory disclosure vulnerability where sensit
6748	CVE-2025-12636	0.05%	15.4th	6.5	This vulnerability in the Ubia camera ecosystem allows attackers to access improperly secured API cr
6749	CVE-2025-31366	0.05%	15.6th	4.7	This vulnerability allows unauthenticated attackers to perform reflected cross-site scripting (XSS)
6750	CVE-2025-7520	0.05%	15.3th	6.3	This critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System allows rem

← Previous Page 135 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free