Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 7251 | CVE-2025-13790 |
|
14.4th | 4.3 | This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) attacks against Sca | |
| 7252 | CVE-2025-47656 |
|
14.2th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Spiraclethemes Site Library WordPress pl | |
| 7253 | CVE-2025-12359 |
|
14.4th | 5.4 | The Responsive Lightbox & Gallery WordPress plugin has a Server-Side Request Forgery vulnerability t | |
| 7254 | CVE-2025-9198 |
|
14.4th | 6.5 | This SQL injection vulnerability in the Wp cycle text announcement WordPress plugin allows authentic | |
| 7255 | CVE-2026-23797 |
|
14.3th | 4.9 | Quick.Cart stores user passwords in plaintext, allowing attackers with administrative privileges to | |
| 7256 | CVE-2025-9975 |
|
14.6th | 6.8 | The WP Scraper WordPress plugin contains a Server-Side Request Forgery (SSRF) vulnerability that all | |
| 7257 | CVE-2026-1210 |
|
14.5th | 6.4 | This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i | |
| 7258 | CVE-2026-1337 |
|
14.3th | 5.4 | This vulnerability allows cross-site scripting (XSS) attacks when Neo4j query logs containing insuff | |
| 7259 | CVE-2025-14695 |
|
14.4th | 6.3 | This vulnerability in SamuNatsu HaloBot allows remote attackers to execute arbitrary code by manipul | |
| 7260 | CVE-2025-13116 |
|
14.3th | 5.4 | This vulnerability allows improper authorization in macrozheng mall-swarm and mall applications up t | |
| 7261 | CVE-2025-47669 |
|
14.2th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in CBX Map for Google Map & OpenStreetMap Wo | |
| 7262 | CVE-2025-66051 |
|
14.6th | 6.5 | Vivotek IP7137 cameras with firmware version 0200a are vulnerable to path traversal attacks, allowin | |
| 7263 | CVE-2025-13117 |
|
14.3th | 5.4 | This vulnerability allows attackers to cancel orders without proper authorization in macrozheng mall | |
| 7264 | CVE-2025-47675 |
|
14.2th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Woobox WordPress plugin allows attack | |
| 7265 | CVE-2025-47677 |
|
14.2th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the GT3 Photo Gallery WordPress plugin allow | |
| 7266 | CVE-2025-9397 |
|
14.5th | 6.3 | CVE-2025-9397 is an unrestricted file upload vulnerability in givanz Vvveb CMS that allows remote at | |
| 7267 | CVE-2025-12246 |
|
14.3th | 4.3 | This CVE describes a cross-site scripting (XSS) vulnerability in Chatwoot's admin interface that all | |
| 7268 | CVE-2025-10978 |
|
14.5th | 4.3 | This vulnerability in JeecgBoot allows unauthorized access to the user export functionality via the | |
| 7269 | CVE-2025-67703 |
|
14.4th | 6.1 | A stored cross-site scripting vulnerability in Esri ArcGIS Server allows remote unauthenticated atta | |
| 7270 | CVE-2025-10979 |
|
14.5th | 4.3 | JeecgBoot up to version 3.8.2 has an improper authorization vulnerability in the /sys/role/exportXls | |
| 7271 | CVE-2025-67704 |
|
14.4th | 6.1 | A stored cross-site scripting vulnerability in Esri ArcGIS Server allows remote unauthenticated atta | |
| 7272 | CVE-2025-67705 |
|
14.4th | 6.1 | A stored cross-site scripting vulnerability in Esri ArcGIS Server allows attackers to upload malicio | |
| 7273 | CVE-2025-10980 |
|
14.5th | 4.3 | JeecgBoot up to version 3.8.2 contains an improper authorization vulnerability in the /sys/position/ | |
| 7274 | CVE-2025-5696 |
|
14.3th | 6.3 | This critical SQL injection vulnerability in Brilliance Golden Link Secondary System allows remote a | |
| 7275 | CVE-2025-67708 |
|
14.4th | 6.1 | A stored cross-site scripting vulnerability in Esri ArcGIS Server allows attackers to upload malicio | |
| 7276 | CVE-2025-10981 |
|
14.5th | 4.3 | This vulnerability in JeecgBoot allows unauthorized access to the tenant export function via the /sy | |
| 7277 | CVE-2025-9406 |
|
14.5th | 6.3 | This vulnerability allows remote attackers to upload arbitrary files without restrictions in xuhuish | |
| 7278 | CVE-2025-67709 |
|
14.4th | 6.1 | A stored cross-site scripting (XSS) vulnerability in Esri ArcGIS Server allows remote unauthenticate | |
| 7279 | CVE-2025-5698 |
|
14.3th | 6.3 | This critical SQL injection vulnerability in Brilliance Golden Link Secondary System allows remote a | |
| 7280 | CVE-2025-67710 |
|
14.4th | 6.1 | A stored cross-site scripting (XSS) vulnerability in Esri ArcGIS Server allows remote unauthenticate | |
| 7281 | CVE-2025-67711 |
|
14.4th | 6.1 | A stored cross-site scripting (XSS) vulnerability in Esri ArcGIS Server allows remote unauthenticate | |
| 7282 | CVE-2025-48232 |
|
14.2th | 6.5 | This stored cross-site scripting (XSS) vulnerability in Xpro Addons For Beaver Builder Lite allows a | |
| 7283 | CVE-2025-3955 |
|
14.5th | 6.3 | CVE-2025-3955 is a critical SQL injection vulnerability in codeprojects Patient Record Management Sy | |
| 7284 | CVE-2025-2579 |
|
14.2th | 6.4 | The Lottie Player WordPress plugin up to version 1.1.8 has a stored cross-site scripting vulnerabili | |
| 7285 | CVE-2025-48235 |
|
14.2th | 6.5 | This DOM-based XSS vulnerability in the WP Image Mask WordPress plugin allows attackers to inject ma | |
| 7286 | CVE-2025-11410 |
|
14.2th | 6.3 | This SQL injection vulnerability in Campcodes Advanced Online Voting Management System 1.0 allows at | |
| 7287 | CVE-2024-45643 |
|
13.9th | 5.9 | IBM Security QRadar 3.12 EDR uses weak cryptographic algorithms that could allow attackers to decryp | |
| 7288 | CVE-2025-20322 |
|
14.1th | 4.3 | This CSRF vulnerability in Splunk Enterprise and Cloud Platform allows unauthenticated attackers to | |
| 7289 | CVE-2025-21636 |
|
13.9th | 5.5 | This CVE describes a null pointer dereference vulnerability in the Linux kernel's SCTP (Stream Contr | |
| 7290 | CVE-2025-12270 |
|
13.8th | 4.3 | This vulnerability in LearnHouse allows attackers to manipulate resource identifiers in the student | |
| 7291 | CVE-2025-20305 |
|
14th | 4.3 | This vulnerability in Cisco ISE allows authenticated read-only administrators to view sensitive pass | |
| 7292 | CVE-2025-36093 |
|
14th | 4.8 | This vulnerability in IBM Cloud Pak for Business Automation allows attackers to perform unauthorized | |
| 7293 | CVE-2025-58258 |
|
13.9th | 4.3 | This CVE describes a Missing Authorization vulnerability in the nK Lazy Blocks WordPress plugin that | |
| 7294 | CVE-2025-70299 |
|
14.2th | 6.5 | A heap overflow vulnerability in GPAC's AVI file parser allows attackers to cause denial of service | |
| 7295 | CVE-2025-43327 |
|
14.1th | 6.5 | This Safari vulnerability allows malicious websites to spoof the address bar, making users believe t | |
| 7296 | CVE-2025-0666 |
|
13.8th | 5.4 | This stored cross-site scripting (XSS) vulnerability in BOINC Server allows attackers to inject mali | |
| 7297 | CVE-2025-14000 |
|
14.2th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i | |
| 7298 | CVE-2025-8775 |
|
13.8th | 6.3 | This critical vulnerability in Qiyuesuo Electronic Signature Platform allows remote attackers to upl | |
| 7299 | CVE-2025-67594 |
|
13.9th | 4.3 | This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the ThimPress Thim El | |
| 7300 | CVE-2025-71002 |
|
13.8th | 6.5 | A floating-point exception vulnerability in OneFlow's flow.column_stack component allows attackers t |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free