Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 7051 | CVE-2026-1722 |
|
14.7th | 5.3 | This vulnerability allows unauthenticated attackers to create arbitrary refund requests for any orde | |
| 7052 | CVE-2025-64030 |
|
14.7th | 5.4 | Eximbills Enterprise 4.1.5 is vulnerable to authenticated stored cross-site scripting (XSS) where ma | |
| 7053 | CVE-2025-23996 |
|
14.8th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the AnyRoad WordPress plugin allows attackers t | |
| 7054 | CVE-2025-15325 |
|
14.6th | 6.3 | CVE-2025-15325 is an SQL injection vulnerability in Tanium Discover due to improper input validation | |
| 7055 | CVE-2025-50103 |
|
14.7th | 4.4 | A vulnerability in MySQL Server's LDAP authentication component allows high-privileged attackers wit | |
| 7056 | CVE-2025-12223 |
|
14.8th | 6.3 | This vulnerability in Bdtask Flight Booking Software allows attackers to upload arbitrary files with | |
| 7057 | CVE-2025-57995 |
|
14.7th | 4.3 | This CVE describes a Missing Authorization vulnerability in the DethemeKit For Elementor WordPress p | |
| 7058 | CVE-2025-11399 |
|
14.9th | 6.3 | This SQL injection vulnerability in SourceCodester Hotel and Lodge Management System 1.0 allows atta | |
| 7059 | CVE-2025-13739 |
|
14.9th | 6.4 | The CryptX WordPress plugin has a stored cross-site scripting vulnerability in its shortcode functio | |
| 7060 | CVE-2025-11400 |
|
14.9th | 6.3 | This SQL injection vulnerability in SourceCodester Hotel and Lodge Management System 1.0 allows atta | |
| 7061 | CVE-2025-28881 |
|
14.8th | 4.3 | This CSRF vulnerability in mg12 Mobile Themes WordPress plugin allows attackers to trick authenticat | |
| 7062 | CVE-2025-29267 |
|
14.6th | 6.5 | This SQL injection vulnerability in Abis, Inc Adjutant Core Accounting ERP allows remote attackers t | |
| 7063 | CVE-2025-11401 |
|
14.9th | 6.3 | This vulnerability allows remote attackers to execute arbitrary SQL commands via the 'currcode' para | |
| 7064 | CVE-2025-28884 |
|
14.8th | 4.3 | This CSRF vulnerability in WP Bulk Post Duplicator WordPress plugin allows attackers to trick authen | |
| 7065 | CVE-2025-24623 |
|
14.8th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the Really Simple SSL WordPress plugin allows a | |
| 7066 | CVE-2025-69055 |
|
14.7th | 6.5 | This path traversal vulnerability in SeaTheme BM Content Builder WordPress plugin allows attackers t | |
| 7067 | CVE-2025-28887 |
|
14.8th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress 'Plugins Last Updated Column' plu | |
| 7068 | CVE-2025-11402 |
|
14.9th | 6.3 | This vulnerability allows remote attackers to execute arbitrary SQL commands via the ID parameter in | |
| 7069 | CVE-2025-12174 |
|
14.6th | 6.5 | This vulnerability in the Directorist WordPress plugin allows authenticated attackers with Subscribe | |
| 7070 | CVE-2025-11239 |
|
14.8th | 4.3 | This vulnerability in KNIME Business Hub allows unauthorized team members to view sensitive informat | |
| 7071 | CVE-2025-11403 |
|
14.9th | 6.3 | This SQL injection vulnerability in SourceCodester Hotel and Lodge Management System 1.0 allows remo | |
| 7072 | CVE-2025-54760 |
|
14.8th | 5.4 | This stored cross-site scripting (XSS) vulnerability in desknet's NEO allows attackers to inject mal | |
| 7073 | CVE-2025-14086 |
|
14.8th | 6.3 | This vulnerability in youlaitech youlai-mall allows attackers to bypass access controls by manipulat | |
| 7074 | CVE-2025-13993 |
|
14.6th | 5.5 | The MailerLite WordPress plugin is vulnerable to stored cross-site scripting (XSS) in versions up to | |
| 7075 | CVE-2025-55072 |
|
14.8th | 5.4 | A stored cross-site scripting (XSS) vulnerability in desknet's NEO allows attackers to inject malici | |
| 7076 | CVE-2026-22645 |
|
14.8th | 5.3 | This vulnerability allows unauthenticated attackers to view detailed information about all software | |
| 7077 | CVE-2025-24647 |
|
14.8th | 5.4 | This CSRF vulnerability in the WooCommerce Cloak Affiliate Links WordPress plugin allows attackers t | |
| 7078 | CVE-2025-28902 |
|
14.8th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the Contact Form 7 Select Box Editor Button Wor | |
| 7079 | CVE-2025-54822 |
|
14.6th | 4.3 | An authenticated attacker can access static files from other VDOMs (Virtual Domains) in affected For | |
| 7080 | CVE-2025-13118 |
|
14.6th | 6.3 | This vulnerability in macrozheng mall-swarm and mall allows attackers to bypass authorization by man | |
| 7081 | CVE-2025-10489 |
|
14.7th | 4.3 | This vulnerability allows authenticated WordPress users with Contributor-level access or higher to c | |
| 7082 | CVE-2025-64521 |
|
14.8th | 4.8 | This vulnerability allows deactivated service accounts in authentik to still authenticate via OAuth | |
| 7083 | CVE-2025-11405 |
|
14.9th | 6.3 | This SQL injection vulnerability in SourceCodester Hotel and Lodge Management System 1.0 allows atta | |
| 7084 | CVE-2025-64708 |
|
14.9th | 5.8 | This vulnerability in authentik allows expired invitations to remain valid for up to 5 minutes or lo | |
| 7085 | CVE-2025-9372 |
|
14.9th | 5.5 | This stored XSS vulnerability in the Ultimate Multi Design Video Carousel WordPress plugin allows au | |
| 7086 | CVE-2025-10848 |
|
14.9th | 6.3 | Campcodes Society Membership Information System 1.0 contains a SQL injection vulnerability in the /c | |
| 7087 | CVE-2025-22563 |
|
14.8th | 4.3 | This CSRF vulnerability in the Faaiq Pretty Url WordPress plugin allows attackers to trick authentic | |
| 7088 | CVE-2025-58016 |
|
14.7th | 4.3 | This CVE describes a missing authorization vulnerability in Codexpert, Inc's CF7 Submissions WordPre | |
| 7089 | CVE-2025-28910 |
|
14.8th | 4.3 | This CSRF vulnerability in the WP Hide Admin Bar WordPress plugin allows attackers to trick authenti | |
| 7090 | CVE-2025-11610 |
|
14.9th | 6.3 | This SQL injection vulnerability in SourceCodester Simple Inventory System 1.0 allows attackers to e | |
| 7091 | CVE-2025-11611 |
|
14.9th | 6.3 | This vulnerability allows remote attackers to execute SQL injection attacks against SourceCodester S | |
| 7092 | CVE-2025-12244 |
|
14.6th | 4.3 | A cross-site scripting (XSS) vulnerability exists in code-projects Simple E-Banking System 1.0 in th | |
| 7093 | CVE-2025-28913 |
|
14.8th | 4.3 | This CSRF vulnerability in the WP Add Active Class To Menu Item WordPress plugin allows attackers to | |
| 7094 | CVE-2025-11612 |
|
14.9th | 6.3 | This SQL injection vulnerability in Simple Food Ordering System 1.0 allows attackers to manipulate d | |
| 7095 | CVE-2025-11613 |
|
14.9th | 6.3 | This SQL injection vulnerability in Simple Food Ordering System 1.0 allows attackers to execute arbi | |
| 7096 | CVE-2023-7229 |
|
14.6th | 5.5 | This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the illi Link Party! WordPre | |
| 7097 | CVE-2025-23765 |
|
14.8th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the W3speedster WordPress plugin allows attacke | |
| 7098 | CVE-2025-3050 |
|
14.7th | 5.3 | This vulnerability in IBM Db2 allows authenticated users to cause denial of service through CPU reso | |
| 7099 | CVE-2025-27315 |
|
14.8th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the wptom All-In-One Cufon WordPress plugin all | |
| 7100 | CVE-2025-27317 |
|
14.8th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the IT-RAYS RAYS Grid WordPress plugin allows a |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free