Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7101	CVE-2025-12540	0.05%	14.9th	4.7	The ShareThis Dashboard for Google Analytics WordPress plugin exposes Google Analytics client creden
7102	CVE-2025-60010	0.05%	14.8th	5.4	This vulnerability allows authenticated network-based attackers to bypass password expiration polici
7103	CVE-2025-50579	0.05%	14.6th	5.3	A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensiti
7104	CVE-2025-51487	0.05%	14.6th	4.5	A stored XSS vulnerability in MoonShine versions before 3.12.5 allows attackers to inject malicious
7105	CVE-2025-8223	0.05%	14.7th	4.3	This CSRF vulnerability in JPACookieShop allows attackers to trick authenticated administrators into
7106	CVE-2025-3652	0.05%	14.7th	5.3	The Petlibro Smart Pet Feeder Platform contains an information disclosure vulnerability that allows
7107	CVE-2025-11629	0.05%	14.9th	6.3	This SQL injection vulnerability in RainyGao DocSys allows attackers to execute arbitrary SQL comman
7108	CVE-2025-11088	0.05%	14.9th	6.3	CVE-2025-11088 is an SQL injection vulnerability in itsourcecode Open Source Job Portal 1.0 that all
7109	CVE-2025-11551	0.05%	14.9th	6.3	This SQL injection vulnerability in Student Result Manager 1.0 allows remote attackers to execute ar
7110	CVE-2025-24696	0.05%	14.8th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the Attire Blocks WordPress plugin allows attac
7111	CVE-2025-31969	0.05%	14.9th	4.0	HCL Unica Platform has a misconfigured Content Security Policy (CSP) that could allow attackers to l
7112	CVE-2025-11922	0.05%	14.9th	6.4	This vulnerability allows authenticated WordPress users with subscriber-level access or higher to in
7113	CVE-2025-11552	0.05%	14.9th	6.3	This SQL injection vulnerability in code-projects Online Complaint Site 1.0 allows attackers to mani
7114	CVE-2025-58221	0.05%	14.7th	4.3	This CVE describes a missing authorization vulnerability in the ONTRAPORT PilotPress WordPress plugi
7115	CVE-2025-28941	0.05%	14.8th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the ohtan Spam Byebye WordPress plugin allows a
7116	CVE-2025-27335	0.05%	14.8th	4.3	This CSRF vulnerability in the WordPress Auto Tag Links plugin allows attackers to trick authenticat
7117	CVE-2024-6429	0.05%	14.6th	4.3	This content spoofing vulnerability in WSO2 products allows attackers to inject arbitrary content in
7118	CVE-2025-27339	0.05%	14.8th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Minimum Password Strength plugin
7119	CVE-2025-48240	0.05%	14.2th	6.5	This stored cross-site scripting (XSS) vulnerability in WPFactory's Cost of Goods for WooCommerce pl
7120	CVE-2026-2148	0.05%	14.3th	5.3	This vulnerability in Tenda AC21 routers allows remote attackers to access sensitive information thr
7121	CVE-2025-9567	0.05%	14.2th	6.1	This is a reflected cross-site scripting (XSS) vulnerability in Sunnet's eHRD software that allows u
7122	CVE-2025-65017	0.05%	14.4th	6.5	This vulnerability in Decidim's private data export feature allows UUID collisions that could lead t
7123	CVE-2025-9568	0.05%	14.2th	6.1	Sunnet eHRD software contains a reflected cross-site scripting vulnerability that allows unauthentic
7124	CVE-2025-30316	0.05%	14.5th	5.4	Adobe Connect versions 12.8 and earlier contain a stored Cross-Site Scripting vulnerability that all
7125	CVE-2025-9569	0.05%	14.2th	6.1	This is a reflected cross-site scripting (XSS) vulnerability in Sunnet's eHRD software that allows u
7126	CVE-2025-8526	0.05%	14.5th	6.3	This critical vulnerability in Exrick xboot allows remote attackers to upload arbitrary files withou
7127	CVE-2025-48248	0.05%	14.2th	6.5	This stored cross-site scripting (XSS) vulnerability in the Sitewide Discount for WooCommerce plugin
7128	CVE-2025-1891	0.05%	14.6th	4.3	This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in shishuocms 1.1 that allows a
7129	CVE-2025-48250	0.05%	14.2th	6.5	This stored cross-site scripting (XSS) vulnerability in the WPFactory Coupons & Add to Cart by URL L
7130	CVE-2025-1778	0.05%	14.4th	4.3	The Art Theme for WordPress has a missing capability check in its 'arttheme_theme_option_restore' AJ
7131	CVE-2025-24510	0.05%	14.2th	6.5	A vulnerability in Siemens MS/TP Point Pickup Module allows attackers on the same BACnet network to
7132	CVE-2025-7412	0.05%	14.5th	6.3	CVE-2025-7412 is a critical unrestricted file upload vulnerability in code-projects Library System 1
7133	CVE-2025-14464	0.05%	14.3th	5.3	The PDF Resume Parser WordPress plugin exposes SMTP credentials to unauthenticated users through an
7134	CVE-2025-48258	0.05%	14.2th	6.5	This stored cross-site scripting (XSS) vulnerability in the Mega Menu Block WordPress plugin allows
7135	CVE-2025-47557	0.05%	14.2th	6.5	This stored cross-site scripting (XSS) vulnerability in the MapSVG WordPress plugin allows attackers
7136	CVE-2026-25727	0.05%	14.3th	6.5	This vulnerability in the Rust time crate allows denial of service via stack exhaustion when parsing
7137	CVE-2025-15238	0.05%	14.4th	6.5	QOCA aim AI Medical Cloud Platform has a SQL injection vulnerability that allows authenticated attac
7138	CVE-2025-13650	0.05%	14.3th	6.1	This is a cross-site scripting (XSS) vulnerability in Microcom's ZeusWeb application version 6.1.31.
7139	CVE-2022-49615	0.05%	14.3th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's ASoC rt711-sdca audio driver can caus
7140	CVE-2025-21709	0.05%	14.3th	5.5	A race condition vulnerability in the Linux kernel's memory management subsystem during process fork
7141	CVE-2025-3794	0.05%	14.6th	5.4	The WPForms WordPress plugin has a stored XSS vulnerability in versions up to 1.9.5 that allows auth
7142	CVE-2025-15239	0.05%	14.4th	6.5	QOCA aim AI Medical Cloud Platform has a SQL injection vulnerability that allows authenticated remot
7143	CVE-2025-0758	0.05%	14.2th	6.1	Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.
7144	CVE-2025-8756	0.05%	14.5th	6.3	This vulnerability allows attackers to bypass authorization checks in TDuckCloud tduck-platform's ma
7145	CVE-2025-52917	0.05%	14.2th	4.3	The Yealink RPS API lacks rate limiting, allowing attackers to send excessive requests that could le
7146	CVE-2025-40556	0.05%	14.2th	6.5	A vulnerability in Siemens BACnet ATEC 550 series devices allows attackers on the same BACnet networ
7147	CVE-2025-13980	0.05%	14.2th	5.3	This vulnerability allows attackers to bypass authentication mechanisms in Drupal CKEditor 5 Premium
7148	CVE-2025-9521	0.05%	14.3th	6.5	This vulnerability allows attackers with valid session tokens to bypass password confirmation requir
7149	CVE-2025-48276	0.05%	14.2th	6.5	This stored cross-site scripting (XSS) vulnerability in Visual Composer Website Builder allows attac
7150	CVE-2025-8148	0.05%	14.3th	4.2	This vulnerability allows Web Users in Fortra's GoAnywhere MFT who are configured for password-only

← Previous Page 143 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free