Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7401	CVE-2025-62874	0.05%	13.9th	4.3	This CVE describes a missing authorization vulnerability in the AnyComment WordPress plugin that all
7402	CVE-2025-66154	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Couponer for Elementor WordPress plu
7403	CVE-2025-42943	0.05%	14th	4.5	SAP GUI for Windows may leak NTLM hashes when specific ABAP frontend services are called with UNC pa
7404	CVE-2025-66155	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Questionar for Elementor WordPress p
7405	CVE-2025-66156	0.05%	13.9th	5.4	CVE-2025-66156 is a missing authorization vulnerability in the Watcher for Elementor WordPress plugi
7406	CVE-2025-14393	0.05%	14.2th	6.4	The Wpik WordPress Basic Ajax Form plugin has a stored XSS vulnerability in the 'dname' parameter th
7407	CVE-2025-64631	0.05%	13.9th	5.0	This CVE describes a missing authorization vulnerability in the WCFM Marketplace WordPress plugin th
7408	CVE-2025-66157	0.05%	13.9th	5.4	A missing authorization vulnerability in the merkulove Slider for Elementor WordPress plugin allows
7409	CVE-2025-22018	0.05%	14th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's ATM subsystem allows local attackers
7410	CVE-2025-66158	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Gmaper for Elementor WordPress plugi
7411	CVE-2025-66159	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Walker for Elementor WordPress plugi
7412	CVE-2025-57975	0.05%	13.9th	4.3	This CVE describes a missing authorization vulnerability in the RadiusTheme Team WordPress plugin th
7413	CVE-2025-13809	0.05%	13.8th	6.3	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in orionsec's orion-ops softwa
7414	CVE-2025-1625	0.05%	13.8th	5.4	The Qi Blocks WordPress plugin before version 1.4 contains a stored cross-site scripting (XSS) vulne
7415	CVE-2025-1627	0.05%	13.8th	5.4	The Qi Blocks WordPress plugin before version 1.4 contains a stored cross-site scripting (XSS) vulne
7416	CVE-2025-62128	0.05%	13.9th	4.3	This CVE describes a Missing Authorization vulnerability in the SiteLock Security WordPress plugin t
7417	CVE-2025-11595	0.05%	13.9th	4.7	This vulnerability allows SQL injection through the mobilenumber parameter in the /admin-profile.php
7418	CVE-2025-44110	0.05%	13.8th	5.4	FluxBB 1.5.11 contains a stored XSS vulnerability in the forum description field that allows attacke
7419	CVE-2025-66149	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the merkulove UnGrabber WordPress plugin
7420	CVE-2025-60265	0.05%	13.8th	6.5	This SQL injection vulnerability in xckk v9.6 allows attackers to manipulate database queries throug
7421	CVE-2025-66150	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the merkulove Appender WordPress plugin
7422	CVE-2025-40616	0.05%	14th	6.1	This reflected XSS vulnerability in Bookgy allows attackers to inject malicious JavaScript via the I
7423	CVE-2025-66151	0.05%	13.9th	5.4	This CVE describes a missing authorization vulnerability in the Countdowner for Elementor WordPress
7424	CVE-2025-54461	0.05%	13.8th	5.3	ChatLuck's guest user invitation system has insufficient access control, allowing uninvited users to
7425	CVE-2025-66152	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the merkulove Criptopayer for Elementor
7426	CVE-2024-55599	0.05%	13.9th	5.3	This vulnerability allows remote unauthenticated attackers to bypass DNS filtering protections on Fo
7427	CVE-2025-66153	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Headinger for Elementor WordPress pl
7428	CVE-2025-57997	0.05%	13.9th	4.3	This CVE describes a missing authorization vulnerability in the Trustpilot Reviews WordPress plugin
7429	CVE-2025-23411	0.05%	14.1th	6.3	mySCADA myPRO Manager is vulnerable to cross-site request forgery (CSRF), allowing attackers to tric
7430	CVE-2025-0793	0.05%	14.1th	6.3	This vulnerability allows remote attackers to execute SQL injection attacks on ESAFENET CDG V5 syste
7431	CVE-2025-15331	0.05%	13.8th	4.3	CVE-2025-15331 is an uncontrolled resource consumption vulnerability in Tanium Connect that could al
7432	CVE-2025-52047	0.05%	13.8th	6.5	This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries
7433	CVE-2025-52049	0.05%	13.8th	6.5	This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries
7434	CVE-2025-52050	0.05%	13.8th	6.5	This SQL injection vulnerability in Frappe ERPNext allows attackers to execute arbitrary SQL queries
7435	CVE-2025-31365	0.05%	13.8th	5.8	This CVE describes a code injection vulnerability in FortiClientMac that allows unauthenticated atta
7436	CVE-2025-58079	0.05%	14.1th	4.3	This vulnerability in desknet's NEO AppSuite allows attackers to create malicious applications throu
7437	CVE-2025-66144	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Worker for Elementor WordPress plugi
7438	CVE-2025-56380	0.05%	13.8th	6.5	This SQL injection vulnerability in Frappe Framework allows attackers to execute arbitrary SQL comma
7439	CVE-2025-66145	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Worker for WPBakery WordPress plugin
7440	CVE-2025-56381	0.05%	13.8th	6.5	CVE-2025-56381 allows attackers to execute arbitrary SQL commands in ERPNEXT through SQL injection v
7441	CVE-2025-58011	0.05%	13.9th	6.4	This Server-Side Request Forgery (SSRF) vulnerability in the Alex Content Mask WordPress plugin allo
7442	CVE-2025-66146	0.05%	13.9th	5.4	A missing authorization vulnerability in the Logger for Elementor WordPress plugin allows attackers
7443	CVE-2025-32999	0.05%	13.9th	5.4	This is a stored cross-site scripting (XSS) vulnerability in a-blog CMS that allows authenticated us
7444	CVE-2025-66148	0.05%	13.9th	5.4	This CVE describes a Missing Authorization vulnerability in the Conformer for Elementor WordPress pl
7445	CVE-2025-4405	0.05%	14th	4.9	The Hot Random Image WordPress plugin has a stored XSS vulnerability in all versions up to 1.9.2. Au
7446	CVE-2025-14516	0.05%	14.2th	6.3	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Yalantis uCrop Android
7447	CVE-2025-43739	0.05%	14.2th	4.3	This vulnerability allows any authenticated user in Liferay Portal/DXP to modify email content sent
7448	CVE-2025-50270	0.05%	13.8th	6.1	A stored cross-site scripting vulnerability in AnQiCMS v3.4.11 allows attackers to inject malicious
7449	CVE-2026-0574	0.05%	14.2th	6.3	This CVE describes an improper authorization vulnerability in the yeqifu warehouse software that all
7450	CVE-2025-14284	0.05%	14.1th	6.1	This vulnerability allows attackers to execute arbitrary JavaScript code in web applications using v

← Previous Page 149 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free