Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7351	CVE-2025-62098	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Totalsoft Portfolio Gallery WordPres
7352	CVE-2025-64084	0.05%	14.1th	5.4	An authenticated SQL injection vulnerability in Cloudlog 2.7.5 and earlier allows authenticated atta
7353	CVE-2025-6766	0.05%	13.9th	6.3	This critical SQL injection vulnerability in sfturing hosp_order allows remote attackers to execute
7354	CVE-2025-62108	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the SaifuMak Add Custom Codes WordPress
7355	CVE-2025-6135	0.05%	13.9th	6.3	This critical SQL injection vulnerability in Projectworlds Life Insurance Management System 1.0 allo
7356	CVE-2025-21767	0.05%	14.1th	5.5	A race condition vulnerability in the Linux kernel's clocksource subsystem where get_random_u32() is
7357	CVE-2025-64070	0.05%	13.8th	5.4	This vulnerability allows attackers to inject malicious scripts into the Add New Subject Description
7358	CVE-2025-62888	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the WP Attachments WordPress plugin that
7359	CVE-2025-55625	0.05%	13.8th	6.3	An open redirect vulnerability in Reolink firmware allows attackers to craft URLs that redirect user
7360	CVE-2025-52982	0.05%	14.2th	5.9	An unauthenticated network attacker can cause a denial-of-service by sending a specific sequence of
7361	CVE-2025-27587	0.05%	13.9th	5.3	OpenSSL on PowerPC systems is vulnerable to a Minerva side-channel attack that allows extraction of
7362	CVE-2025-40885	0.05%	13.8th	5.3	A SQL injection vulnerability in the Smart Polling functionality allows authenticated users with lim
7363	CVE-2025-62524	0.05%	13.9th	5.3	PILOS (Platform for Interactive Live-Online Seminars) before version 4.8.0 exposes the PHP version v
7364	CVE-2025-66361	0.05%	13.9th	6.5	Logpoint versions before 7.7.0 expose sensitive information in system processes during high CPU load
7365	CVE-2025-40888	0.05%	13.8th	5.3	An authenticated SQL injection vulnerability in CLI functionality allows limited-privilege users to
7366	CVE-2025-46011	0.05%	13.8th	6.5	Listmonk v4.1.0 contains a SQL injection vulnerability in the QuerySubscribers function that allows
7367	CVE-2025-14982	0.05%	13.9th	4.3	The Booking Calendar plugin for WordPress has a missing authorization vulnerability that allows auth
7368	CVE-2025-53059	0.05%	14.1th	4.9	This vulnerability in Oracle PeopleSoft Enterprise PeopleTools allows high-privileged attackers with
7369	CVE-2025-37728	0.05%	13.9th	5.4	This vulnerability allows a malicious user with access to a Kibana space to create a Crowdstrike con
7370	CVE-2025-50949	0.05%	14.1th	6.5	FontForge v20230101 contains a memory leak in the DlgCreate8 component that allows attackers to caus
7371	CVE-2024-8854	0.05%	13.8th	5.4	The Polls CP WordPress plugin before version 1.0.77 contains a stored cross-site scripting (XSS) vul
7372	CVE-2021-47702	0.05%	14.1th	4.3	OpenBMCS 2.4 contains a CSRF vulnerability in the sendFeedback.php endpoint that allows attackers to
7373	CVE-2025-62132	0.05%	13.9th	4.3	This CVE describes a Missing Authorization vulnerability in the Strategy11 Team Tasty Recipes Lite W
7374	CVE-2025-30000	0.05%	13.9th	6.7	A privilege escalation vulnerability in Siemens License Server allows low-privileged users to gain h
7375	CVE-2024-9599	0.05%	13.8th	5.4	The Popup Box WordPress plugin before version 4.7.8 contains a stored cross-site scripting (XSS) vul
7376	CVE-2026-22490	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the LPagery WordPress plugin that allows
7377	CVE-2026-22492	0.05%	13.9th	4.3	This CVE describes a Missing Authorization vulnerability in the Nawawi Jamili Docket Cache WordPress
7378	CVE-2024-9662	0.05%	13.8th	5.4	The CYAN Backup WordPress plugin before version 2.5.3 contains a stored cross-site scripting (XSS) v
7379	CVE-2026-22517	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the GA4WP: Google Analytics for WordPres
7380	CVE-2024-51451	0.05%	13.9th	6.5	IBM Concert versions 1.0.0 through 2.1.0 are vulnerable to HTTP header injection due to improper val
7381	CVE-2026-21696	0.05%	13.9th	6.5	This vulnerability allows low-privileged users to trigger a database flood in Pterodactyl Panel by e
7382	CVE-2025-12976	0.05%	14.2th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
7383	CVE-2024-45832	0.05%	14.1th	4.3	This vulnerability involves hard-coded credentials embedded in the application binary that are used
7384	CVE-2025-41091	0.05%	13.9th	4.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner that
7385	CVE-2025-41092	0.05%	13.9th	4.3	This IDOR vulnerability in BOLD Workplanner allows authenticated users to access time records detail
7386	CVE-2025-41093	0.05%	13.9th	4.3	An Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner allows authenticated us
7387	CVE-2025-41094	0.05%	13.9th	4.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner soft
7388	CVE-2025-41095	0.05%	13.9th	4.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner soft
7389	CVE-2025-1454	0.05%	13.8th	5.4	The Ninja Pages WordPress plugin through version 1.4.2 contains a stored cross-site scripting (XSS)
7390	CVE-2025-62288	0.05%	14.1th	4.9	This vulnerability in Oracle Health Sciences Data Management Workbench allows authenticated high-pri
7391	CVE-2025-41096	0.05%	13.9th	4.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner soft
7392	CVE-2025-25250	0.05%	14th	4.3	This vulnerability allows authenticated SSL-VPN users to access full SSL-VPN configuration settings
7393	CVE-2025-41097	0.05%	13.9th	4.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner soft
7394	CVE-2024-28780	0.05%	13.9th	5.9	IBM Cognos Controller and IBM Controller Rich Client use weak cryptographic algorithms that could al
7395	CVE-2025-30974	0.05%	14th	4.3	This CVE describes a missing authorization vulnerability in the Post Grid Master WordPress plugin th
7396	CVE-2025-62960	0.05%	13.9th	5.4	This CVE describes a missing authorization vulnerability in the Sparkle WP Construction Light WordPr
7397	CVE-2024-13873	0.05%	14th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to de
7398	CVE-2025-62961	0.05%	13.9th	5.4	This CVE describes a missing authorization vulnerability in the Sparkle FSE WordPress theme that all
7399	CVE-2025-47786	0.05%	13.8th	4.8	Emlog 2.5.13 has a stored XSS vulnerability where any registered user can inject malicious JavaScrip
7400	CVE-2025-20656	0.05%	14th	6.8	This vulnerability in MediaTek DA software allows local attackers with physical access to escalate p

← Previous Page 148 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free