Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7001	CVE-2025-4868	0.05%	14.9th	6.3	This critical vulnerability in merikbest ecommerce-spring-reactjs allows attackers to perform path t
7002	CVE-2025-57936	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in the Meitar Subresource Integrity (SRI) M
7003	CVE-2025-56139	0.05%	14.6th	5.3	The LinkedIn Android app fails to update link preview metadata when users replace URLs before postin
7004	CVE-2024-49796	0.05%	14.6th	5.4	IBM ApplinX 11.1 contains a clickjacking vulnerability that allows attackers to hijack user clicks b
7005	CVE-2025-24533	0.05%	14.8th	5.4	A Cross-Site Request Forgery (CSRF) vulnerability in MetaSlider Responsive Slider WordPress plugin a
7006	CVE-2025-12346	0.05%	14.8th	6.3	This vulnerability in MaxSite CMS allows attackers to upload arbitrary files without restrictions by
7007	CVE-2025-61762	0.05%	14.6th	6.3	This vulnerability in Oracle PeopleSoft Enterprise FIN Payables 9.2 allows authenticated attackers w
7008	CVE-2025-12347	0.05%	14.8th	6.3	This vulnerability in MaxSite CMS allows remote attackers to upload arbitrary files without proper r
7009	CVE-2025-14035	0.05%	14.6th	4.4	The DebateMaster WordPress plugin has a stored XSS vulnerability in color options that allows authen
7010	CVE-2026-2146	0.05%	14.6th	6.3	This vulnerability allows remote attackers to upload arbitrary files without restrictions through th
7011	CVE-2026-25152	0.05%	14.7th	5.3	A path traversal vulnerability in Backstage's TechDocs local generator allows attackers to read arbi
7012	CVE-2025-11590	0.05%	14.9th	6.3	This vulnerability allows remote attackers to execute SQL injection attacks against CodeAstro Gym Ma
7013	CVE-2025-10825	0.05%	14.9th	6.3	This vulnerability allows remote attackers to execute arbitrary SQL commands through the viewid para
7014	CVE-2025-10826	0.05%	14.9th	6.3	Campcodes Online Beauty Parlor Management System 1.0 contains a SQL injection vulnerability in the /
7015	CVE-2025-13238	0.05%	14.8th	6.3	Bdtask Flight Booking Software 4 contains an unrestricted file upload vulnerability in the agent pro
7016	CVE-2025-10828	0.05%	14.9th	6.3	This SQL injection vulnerability in SourceCodester Pet Grooming Management Software allows attackers
7017	CVE-2025-5632	0.05%	14.9th	6.3	This critical SQL injection vulnerability in the NEWS-BUZZ 1.0 CMS allows remote attackers to execut
7018	CVE-2025-13683	0.05%	14.8th	6.5	This vulnerability in Devolutions Server and Remote Desktop Manager exposes credentials through unin
7019	CVE-2025-23055	0.05%	14.7th	5.5	An authenticated remote attacker can inject malicious scripts into the HPE Aruba Networking Fabric C
7020	CVE-2025-13244	0.05%	14.6th	4.3	This vulnerability allows attackers to inject malicious scripts into the Student Information System
7021	CVE-2025-42907	0.05%	14.7th	4.3	This vulnerability in SAP BI Platform allows attackers to modify the LogonToken IP address for OpenD
7022	CVE-2026-0696	0.05%	14.9th	6.5	ConnectWise PSA versions before 2026.1 fail to set HttpOnly attribute on certain session cookies, po
7023	CVE-2024-57954	0.05%	14.7th	6.2	A permission verification vulnerability in Huawei's media library module allows unauthorized access
7024	CVE-2025-23057	0.05%	14.7th	5.5	This vulnerability allows authenticated attackers to inject malicious scripts into the HPE Aruba Net
7025	CVE-2025-4893	0.05%	14.9th	6.3	This critical path traversal vulnerability in jammy928 CoinExchange_CryptoExchange_Java allows attac
7026	CVE-2025-27702	0.05%	14.8th	4.9	CVE-2025-27702 is a privilege escalation vulnerability in Absolute Secure Access management console
7027	CVE-2025-24537	0.05%	14.8th	5.4	A Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar WordPress plugin allows att
7028	CVE-2025-11591	0.05%	14.9th	6.3	This SQL injection vulnerability in CodeAstro Gym Management System 1.0 allows attackers to manipula
7029	CVE-2025-11592	0.05%	14.9th	6.3	This SQL injection vulnerability in CodeAstro Gym Management System 1.0 allows attackers to manipula
7030	CVE-2025-24540	0.05%	14.8th	4.3	This CSRF vulnerability in SeedProd's WordPress plugin allows attackers to trick authenticated admin
7031	CVE-2025-11593	0.05%	14.9th	6.3	This SQL injection vulnerability in CodeAstro Gym Management System 1.0 allows attackers to manipula
7032	CVE-2025-6815	0.05%	14.7th	5.5	This stored XSS vulnerability in the LatePoint WordPress plugin allows authenticated administrators
7033	CVE-2025-11038	0.05%	14.9th	6.3	CVE-2025-11038 is a SQL injection vulnerability in itsourcecode Online Clinic Management System 1.0
7034	CVE-2023-37401	0.05%	14.9th	5.3	IBM Aspera Faspex versions 5.0.0 through 5.0.13.1 have an overly permissive cross-domain policy file
7035	CVE-2025-14467	0.05%	14.6th	4.4	The WP Job Portal WordPress plugin allows authenticated attackers with Editor-level access or higher
7036	CVE-2025-11041	0.05%	14.9th	6.3	CVE-2025-11041 is an SQL injection vulnerability in itsourcecode Open Source Job Portal 1.0 that all
7037	CVE-2025-12045	0.05%	14.9th	6.4	This vulnerability allows authenticated WordPress users with Author-level permissions or higher to i
7038	CVE-2025-24546	0.05%	14.8th	5.4	This CSRF vulnerability in the RSTheme Ultimate Coming Soon & Maintenance WordPress plugin allows at
7039	CVE-2025-57972	0.05%	14.7th	4.3	This CVE describes a missing authorization vulnerability in the WPFactory Helpdesk Support Ticket Sy
7040	CVE-2025-14609	0.05%	14.7th	5.3	The Wise Analytics WordPress plugin up to version 1.1.9 has a missing authorization vulnerability in
7041	CVE-2025-22503	0.05%	14.8th	4.3	This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the 'Admin debug wordpress �
7042	CVE-2025-53791	0.05%	14.8th	4.7	An improper access control vulnerability in Microsoft Edge allows attackers to bypass security featu
7043	CVE-2025-5493	0.05%	14.9th	6.3	This CVE describes a critical SQL injection vulnerability in Baison Channel Middleware Product 2.0.1
7044	CVE-2025-24568	0.05%	14.8th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Starter Templates WordPress pl
7045	CVE-2024-48892	0.05%	14.7th	6.8	A relative path traversal vulnerability in FortiSOAR allows authenticated attackers to read arbitrar
7046	CVE-2025-54959	0.05%	14.6th	4.3	Powered BLUE Server versions 0.20130927 and prior contain a path traversal vulnerability that allows
7047	CVE-2025-10840	0.05%	14.9th	6.3	This SQL injection vulnerability in SourceCodester Pet Grooming Management Software 1.0 allows attac
7048	CVE-2025-41226	0.05%	14.6th	6.8	This CVE describes a denial-of-service vulnerability in VMware ESXi where an authenticated attacker
7049	CVE-2025-27906	0.05%	14.6th	5.3	IBM Content Navigator versions 3.0.11 through 3.2.0 expose directory listings when accessing specifi
7050	CVE-2025-57985	0.05%	14.7th	4.3	This CVE describes a Missing Authorization vulnerability in MantraBrain Ultimate Watermark WordPress

← Previous Page 141 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free