Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 7351 | CVE-2025-59387 |
|
35.8th | N/A | An SQL injection vulnerability in MARS (Multi-Application Recovery Service) allows remote attackers | |
| 7352 | CVE-2025-24628 |
|
35.6th | 5.3 | This vulnerability allows attackers to bypass CAPTCHA verification in the BestWebSoft Google Captcha | |
| 7353 | CVE-2025-23477 |
|
35.6th | 8.2 | This CVE describes a missing authorization vulnerability in the Realty Workstation WordPress plugin | |
| 7354 | CVE-2025-26960 |
|
35.6th | 6.5 | This CVE describes a Missing Authorization vulnerability in the Small Package Quotes – Unishippers | |
| 7355 | CVE-2025-24567 |
|
35.6th | 6.5 | This vulnerability in WP Mailster WordPress plugin exposes sensitive embedded data in sent emails. A | |
| 7356 | CVE-2025-23766 |
|
35.6th | 6.5 | This CVE describes a Missing Authorization vulnerability in the OPSI Israel Domestic Shipments WordP | |
| 7357 | CVE-2025-22730 |
|
35.6th | 6.5 | This CVE describes a missing authorization vulnerability in the Ksher WordPress payment plugin that | |
| 7358 | CVE-2025-24697 |
|
35.6th | 6.5 | This CVE describes a missing authorization vulnerability in the Realwebcare Image Gallery WordPress | |
| 7359 | CVE-2025-24643 |
|
35.6th | 6.5 | This CVE describes a Missing Authorization vulnerability in WPGuppy WordPress plugin that allows att | |
| 7360 | CVE-2025-24639 |
|
35.6th | 6.5 | This vulnerability in GREYS Korea for WooCommerce WordPress plugin exposes sensitive embedded data t | |
| 7361 | CVE-2025-24801 |
|
35.5th | 8.5 | This vulnerability allows authenticated GLPI users to upload and execute arbitrary PHP files on the | |
| 7362 | CVE-2025-1508 |
|
35.6th | 5.3 | The WP Crowdfunding WordPress plugin has an authorization vulnerability that allows authenticated us | |
| 7363 | CVE-2025-0660 |
|
35.6th | 4.8 | Concrete CMS versions 9.0.0 through 9.3.9 contain a stored cross-site scripting (XSS) vulnerability | |
| 7364 | CVE-2025-27663 |
|
35.6th | 9.8 | CVE-2025-27663 is a critical authentication vulnerability in Vasion Print (formerly PrinterLogic) th | |
| 7365 | CVE-2025-30694 |
|
35.6th | 5.4 | This vulnerability in Oracle Database's XML Database component allows authenticated attackers with n | |
| 7366 | CVE-2025-32073 |
|
35.7th | 5.4 | This CVE describes an improper input validation vulnerability in MediaWiki's HTML Tags extension tha | |
| 7367 | CVE-2025-32071 |
|
35.7th | 5.4 | This CVE describes an improper input validation vulnerability in the MediaWiki Wikidata Extension th | |
| 7368 | CVE-2025-32069 |
|
35.7th | 5.4 | This CVE describes a cross-site scripting (XSS) vulnerability in the Mediawiki Wikibase Media Info E | |
| 7369 | CVE-2025-32067 |
|
35.7th | 5.4 | This CVE describes an improper input validation vulnerability in the Mediawiki Growth Experiments ex | |
| 7370 | CVE-2025-41654 |
|
35.6th | 8.2 | An unauthenticated remote attacker can exploit this SNMP vulnerability to access process information | |
| 7371 | CVE-2025-4790 |
|
35.6th | 7.3 | CVE-2025-4790 is a critical buffer overflow vulnerability in FreeFloat FTP Server 1.0's GLOB command | |
| 7372 | CVE-2025-4788 |
|
35.6th | 7.3 | CVE-2025-4788 is a critical buffer overflow vulnerability in FreeFloat FTP Server 1.0's DELETE comma | |
| 7373 | CVE-2025-49827 |
|
35.6th | 9.8 | This vulnerability allows attackers to bypass IAM authentication in Conjur by manipulating AWS-signe | |
| 7374 | CVE-2025-53634 |
|
35.6th | 7.5 | CVE-2025-53634 is a denial-of-service vulnerability in Chall-Manager's HTTP Gateway that allows unau | |
| 7375 | CVE-2025-53530 |
|
35.6th | 7.5 | WeGIA web manager for charitable institutions has a vulnerability where excessively long HTTP GET re | |
| 7376 | CVE-2025-7070 |
|
35.6th | 4.3 | This vulnerability in IROAD Dashcam Q9 allows attackers on the local network to spam MFA pairing req | |
| 7377 | CVE-2025-37097 |
|
35.6th | 7.5 | An unauthenticated denial-of-service vulnerability in HPE Insight Remote Support (IRS) allows attack | |
| 7378 | CVE-2025-30275 |
|
35.7th | 6.5 | A NULL pointer dereference vulnerability in Qsync Central allows authenticated remote attackers to c | |
| 7379 | CVE-2025-30273 |
|
35.6th | 8.1 | An out-of-bounds write vulnerability in QNAP operating systems allows authenticated remote attackers | |
| 7380 | CVE-2025-30267 |
|
35.7th | 6.5 | A NULL pointer dereference vulnerability in QNAP operating systems allows authenticated remote attac | |
| 7381 | CVE-2025-30263 |
|
35.7th | 6.5 | A NULL pointer dereference vulnerability in Qsync Central allows authenticated remote attackers to c | |
| 7382 | CVE-2025-29889 |
|
35.7th | 6.5 | A NULL pointer dereference vulnerability in QNAP File Station 5 allows authenticated attackers to ca | |
| 7383 | CVE-2025-29886 |
|
35.7th | 6.5 | A NULL pointer dereference vulnerability in QNAP File Station 5 allows authenticated remote attacker | |
| 7384 | CVE-2025-29878 |
|
35.7th | 6.5 | A NULL pointer dereference vulnerability in QNAP File Station 5 allows authenticated attackers to ca | |
| 7385 | CVE-2025-29874 |
|
35.7th | 6.5 | A NULL pointer dereference vulnerability in QNAP File Station 5 allows authenticated attackers to ca | |
| 7386 | CVE-2025-9478 |
|
35.6th | 8.8 | This critical vulnerability in Google Chrome's ANGLE graphics engine allows attackers to execute arb | |
| 7387 | CVE-2025-29901 |
|
35.7th | 6.5 | A NULL pointer dereference vulnerability in QNAP File Station 5 allows authenticated remote attacker | |
| 7388 | CVE-2025-47206 |
|
35.6th | 8.1 | An out-of-bounds write vulnerability in QNAP File Station 5 allows authenticated attackers to modify | |
| 7389 | CVE-2025-53726 |
|
35.6th | 7.8 | This is a type confusion vulnerability in Windows Push Notifications that allows an authenticated at | |
| 7390 | CVE-2025-53724 |
|
35.6th | 7.8 | This vulnerability is a type confusion flaw in Windows Push Notifications that allows an authenticat | |
| 7391 | CVE-2024-48014 |
|
35.6th | 7.5 | Dell BSAFE Micro Edition Suite versions before 5.0.2.3 contain an out-of-bounds write vulnerability. | |
| 7392 | CVE-2025-62429 |
|
35.6th | 7.2 | This vulnerability allows remote code execution in ClipBucket v5 video sharing platform. Attackers c | |
| 7393 | CVE-2025-11622 |
|
35.6th | 7.8 | This vulnerability allows a local authenticated attacker to exploit insecure deserialization in Ivan | |
| 7394 | CVE-2025-62170 |
|
35.6th | 7.5 | A use-after-free vulnerability in rAthena's RODEX functionality allows unauthenticated attackers to | |
| 7395 | CVE-2025-37163 |
|
35.6th | 7.2 | This CVE describes a command injection vulnerability in HPE Aruba Networking Airwave Platform's CLI | |
| 7396 | CVE-2025-60724 |
|
35.6th | 9.8 | A heap-based buffer overflow vulnerability in Microsoft Graphics Component allows remote attackers t | |
| 7397 | CVE-2025-12618 |
|
35.6th | 8.8 | A buffer overflow vulnerability in Tenda AC8 routers allows remote attackers to execute arbitrary co | |
| 7398 | CVE-2025-13660 |
|
35.6th | 5.3 | The Guest Support WordPress plugin up to version 1.2.3 contains an unauthenticated user email disclo | |
| 7399 | CVE-2025-66489 |
|
35.5th | 9.8 | This vulnerability in Cal.com scheduling software allows attackers to bypass password verification w | |
| 7400 | CVE-2026-0601 |
|
35.7th | N/A | This reflected cross-site scripting vulnerability in Nexus Repository 3 allows unauthenticated attac |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free