Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6951	CVE-2025-11486	0.05%	14.9th	6.3	This SQL injection vulnerability in SourceCodester Farm Management System 1.0 allows attackers to ma
6952	CVE-2025-53452	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in the Event Rocket WordPress plugin that a
6953	CVE-2025-22297	0.05%	14.8th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the AIpost AI WP Writer WordPress plugin allows
6954	CVE-2025-60143	0.05%	14.7th	4.3	This CVE describes a missing authorization vulnerability in the Netgsm WordPress plugin that allows
6955	CVE-2025-8050	0.05%	14.8th	6.5	This path traversal vulnerability in OpenText Flipper allows attackers to access arbitrary files on
6956	CVE-2025-26926	0.05%	14.8th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the Booknetic WordPress plugin allows attackers
6957	CVE-2025-22301	0.05%	14.8th	5.4	This CSRF vulnerability in the MyBookTable Bookstore WordPress plugin allows attackers to trick auth
6958	CVE-2025-10727	0.05%	14.6th	5.4	This is a reflected cross-site scripting (XSS) vulnerability in ArkSigner's AcBakImzala software tha
6959	CVE-2025-20301	0.05%	14.6th	6.5	This vulnerability allows an authenticated low-privileged remote attacker to bypass authorization an
6960	CVE-2025-60148	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in the WordPress Subscribe to Download plug
6961	CVE-2025-50454	0.05%	14.9th	6.5	An authentication bypass vulnerability in Blue Access' Cobalt X1 software allows unauthorized attack
6962	CVE-2025-68938	0.05%	14.8th	4.3	Gitea versions before 1.25.2 have an authorization flaw that allows users to delete releases they sh
6963	CVE-2025-61906	0.05%	14.9th	4.3	Opencast's editor may publish videos without user notification when users with write access click 'S
6964	CVE-2025-59551	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in the WP Chill Revive.so WordPress plugin
6965	CVE-2025-15468	0.05%	14.6th	5.9	A NULL pointer dereference vulnerability in OpenSSL's SSL_CIPHER_find() function when used with QUIC
6966	CVE-2024-9648	0.05%	14.8th	6.1	The WP ULike Pro WordPress plugin allows unauthenticated attackers to upload malicious files with da
6967	CVE-2025-4411	0.05%	14.8th	6.5	This CVE describes a cross-site scripting (XSS) vulnerability in Dataprom Informatics PACS-ACSS soft
6968	CVE-2025-59559	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in the Payrexx Payment Gateway for WooComme
6969	CVE-2026-2207	0.05%	14.6th	5.3	This vulnerability in WeKan versions up to 8.20 allows remote attackers to access sensitive informat
6970	CVE-2025-11908	0.05%	14.8th	6.3	This vulnerability allows remote attackers to upload arbitrary files to Shenzhen Ruiming Technology
6971	CVE-2025-59561	0.05%	14.7th	4.3	This CVE describes a missing authorization vulnerability in the hashthemes Smart Blocks WordPress pl
6972	CVE-2025-60159	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in the Nota Fiscal Eletrônica WooCommerce
6973	CVE-2025-9264	0.05%	14.7th	5.4	This vulnerability in Xuxueli xxl-job allows remote attackers to manipulate job ID parameters to imp
6974	CVE-2025-42939	0.05%	14.7th	4.3	CVE-2025-42939 is an authorization bypass vulnerability in SAP S/4HANA's Manage Processing Rules for
6975	CVE-2025-60166	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in WP Subscription Forms PRO WordPress plug
6976	CVE-2025-64174	0.05%	14.7th	4.8	This stored XSS vulnerability in Magento-lts allows attackers with admin database access or control
6977	CVE-2025-10732	0.05%	14.8th	4.3	The SureForms WordPress plugin has an access control vulnerability in its REST API endpoint that all
6978	CVE-2025-59576	0.05%	14.7th	6.5	This CVE describes a missing authorization vulnerability in the MasterStudy LMS WordPress plugin tha
6979	CVE-2024-45341	0.05%	14.8th	6.1	This vulnerability allows certificates with IPv6 addresses containing zone IDs to incorrectly satisf
6980	CVE-2025-20166	0.05%	14.8th	5.4	This cross-site scripting (XSS) vulnerability in Cisco CSPC's web management interface allows authen
6981	CVE-2025-11515	0.05%	14.9th	6.3	This SQL injection vulnerability in code-projects Online Complaint Site 1.0 allows remote attackers
6982	CVE-2025-20168	0.05%	14.8th	5.4	An authenticated cross-site scripting (XSS) vulnerability in Cisco CSPC's web management interface a
6983	CVE-2025-11516	0.05%	14.9th	6.3	This CVE describes a SQL injection vulnerability in code-projects Online Complaint Site 1.0. Attacke
6984	CVE-2025-62644	0.05%	14.9th	5.0	The RBI assistant platform's Global Store Directory improperly shares personal information among aut
6985	CVE-2025-62181	0.05%	14.7th	5.3	Pega Platform versions 7.1.0 through Infinity 25.1.0 have a user enumeration vulnerability in the de
6986	CVE-2025-9174	0.05%	14.7th	5.3	This vulnerability in neurobin shc up to version 4.0.3 allows local command injection through the fi
6987	CVE-2025-59591	0.05%	14.7th	4.3	This CVE describes a missing authorization vulnerability in the wpDiscuz WordPress plugin that allow
6988	CVE-2025-4595	0.05%	14.7th	6.4	The FastSpring WordPress plugin has a stored XSS vulnerability in its product catalog block that all
6989	CVE-2025-9176	0.05%	14.7th	5.3	This CVE describes a command injection vulnerability in neurobin shc versions up to 4.0.3. Attackers
6990	CVE-2025-57917	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in the Printcart Web to Print Product Desig
6991	CVE-2025-31990	0.05%	14.7th	6.8	HCL Velocity lacks rate limiting on certain API calls, allowing attackers to flood the system with r
6992	CVE-2025-13061	0.05%	14.8th	6.3	CVE-2025-13061 is an unrestricted file upload vulnerability in itsourcecode Online Voting System 1.0
6993	CVE-2025-5292	0.05%	14.7th	6.4	This stored XSS vulnerability in Element Pack Addons for Elementor allows authenticated attackers wi
6994	CVE-2025-11530	0.05%	14.9th	6.3	CVE-2025-11530 is a SQL injection vulnerability in code-projects Online Complaint Site 1.0 that allo
6995	CVE-2025-54162	0.05%	14.9th	4.9	This path traversal vulnerability in QNAP File Station 5 allows authenticated administrators to read
6996	CVE-2025-36530	0.05%	14.6th	6.8	This vulnerability allows restricted admin users in Mattermost to install unauthorized custom plugin
6997	CVE-2025-5690	0.05%	14.8th	6.5	PostgreSQL Anonymizer versions 2.0-2.1 contain a data exposure vulnerability where users with masked
6998	CVE-2024-12345	0.05%	14.8th	4.4	This vulnerability in INW Krbyyyzo 25.2002 allows attackers to cause resource consumption (denial of
6999	CVE-2025-11589	0.05%	14.9th	6.3	This SQL injection vulnerability in CodeAstro Gym Management System 1.0 allows attackers to manipula
7000	CVE-2024-13188	0.05%	14.8th	5.3	This vulnerability in MicroWorld eScan Antivirus 7.0.32 on Linux allows local attackers to exploit i

← Previous Page 140 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free