Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7451	CVE-2025-64703	0.05%	14th	6.3	MaxKB versions before 2.3.1 contain a sandbox escape vulnerability in the Python tool module that al
7452	CVE-2025-10995	0.05%	14th	5.3	A memory corruption vulnerability in Open Babel's zlib decompression stream allows local attackers t
7453	CVE-2025-6276	0.05%	13.9th	6.3	This CVE describes a critical SQL injection vulnerability in the Brilliance Golden Link Secondary Sy
7454	CVE-2025-14443	0.05%	14.1th	6.4	This SSRF vulnerability in OpenShift's API server allows attackers to make the server send requests
7455	CVE-2022-50801	0.05%	14.2th	4.3	This vulnerability allows authenticated attackers to inject malicious scripts into JM-DATA ONU JF511
7456	CVE-2025-4281	0.05%	13.5th	4.3	This vulnerability in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 7 allo
7457	CVE-2025-48925	0.05%	13.5th	4.3	TeleMessage service uses client-side MD5 hashing for authentication, allowing attackers to intercept
7458	CVE-2026-25760	0.05%	13.6th	6.5	CVE-2026-25760 is an authenticated path traversal vulnerability in Sliver's website content subsyste
7459	CVE-2025-56578	0.05%	13.6th	5.7	CVE-2025-56578 is an authentication bypass vulnerability in RTSPtoWeb v2.4.3 that allows remote atta
7460	CVE-2025-8527	0.05%	13.6th	6.3	This critical vulnerability in Exrick xboot allows remote attackers to perform server-side request f
7461	CVE-2025-20289	0.05%	13.6th	4.8	This vulnerability allows authenticated attackers with low-privileged accounts to conduct reflected
7462	CVE-2025-60950	0.05%	13.7th	6.1	An arbitrary file upload vulnerability in AIxBlock's Data Preparation function allows attackers to u
7463	CVE-2025-11176	0.05%	13.7th	4.3	The Quick Featured Images WordPress plugin has an Insecure Direct Object Reference vulnerability tha
7464	CVE-2025-62060	0.05%	13.6th	6.5	This is a cross-site scripting (XSS) vulnerability in the Tab Ultimate WordPress plugin that allows
7465	CVE-2022-49097	0.05%	13.5th	5.5	This CVE addresses a denial-of-service vulnerability in the Linux kernel's NFS writeback mechanism.
7466	CVE-2025-8530	0.05%	13.6th	5.3	This vulnerability in elunez eladmin allows attackers to use default credentials for Druid database
7467	CVE-2025-62063	0.05%	13.6th	6.5	This Cross-Site Scripting (XSS) vulnerability in WP Travel Gutenberg Blocks allows attackers to inje
7468	CVE-2025-62068	0.05%	13.6th	6.5	This is a cross-site scripting (XSS) vulnerability in the E2Pdf WordPress plugin that allows attacke
7469	CVE-2025-21705	0.05%	13.7th	5.5	This vulnerability in the Linux kernel's MPTCP (Multipath TCP) implementation allows data stream cor
7470	CVE-2025-62069	0.05%	13.6th	6.5	This Cross-Site Scripting (XSS) vulnerability in the RealMag777 MDTF WordPress plugin allows attacke
7471	CVE-2025-27606	0.05%	13.5th	5.1	Element Android up to version 1.6.32 fails to properly logout users after exceeding configured PIN a
7472	CVE-2025-15020	0.05%	13.6th	6.5	The Gotham Block Extra Light WordPress plugin contains an arbitrary file read vulnerability in all v
7473	CVE-2025-48804	0.05%	13.6th	6.8	This vulnerability in Windows BitLocker allows an attacker with physical access to bypass the encryp
7474	CVE-2025-41079	0.05%	13.5th	6.1	A stored Cross-Site Scripting (XSS) vulnerability in Seafile v12.0.10 allows attackers to inject mal
7475	CVE-2025-41080	0.05%	13.5th	6.1	A stored XSS vulnerability in Seafile v12.0.10 allows attackers to inject malicious scripts via the
7476	CVE-2025-21716	0.05%	13.7th	5.5	A vulnerability in the Linux kernel's VXLAN virtual network filtering function allows reading uninit
7477	CVE-2025-9769	0.05%	13.6th	4.1	This CVE describes a command injection vulnerability in D-Link DI-7400G+ routers that allows attacke
7478	CVE-2024-12709	0.05%	13.7th	4.3	The Bulk Me Now! WordPress plugin through version 2.0 lacks CSRF protection on certain endpoints, al
7479	CVE-2025-48486	0.05%	13.5th	5.4	FreeScout versions before 1.8.180 contain a cross-site scripting (XSS) vulnerability in the Session:
7480	CVE-2024-13774	0.05%	13.7th	6.1	This CSRF vulnerability in the Wishlist for WooCommerce plugin allows attackers to trick administrat
7481	CVE-2025-48488	0.05%	13.5th	5.4	CVE-2025-48488 is a Cross-Site Scripting vulnerability in FreeScout help desk software where deletin
7482	CVE-2024-12874	0.05%	13.7th	4.8	The Top Comments WordPress plugin through version 1.0 contains a stored cross-site scripting (XSS) v
7483	CVE-2025-62011	0.05%	13.6th	6.5	This is a cross-site scripting (XSS) vulnerability in the TheGem WordPress theme that allows attacke
7484	CVE-2025-11844	0.05%	13.8th	5.4	Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_
7485	CVE-2025-11794	0.05%	13.5th	4.9	This vulnerability allows system administrators to access password hashes and MFA secrets through an
7486	CVE-2025-48368	0.05%	13.5th	5.4	A DOM-based Cross-Site Scripting (XSS) vulnerability in Group-Office allows attackers to execute arb
7487	CVE-2025-62030	0.05%	13.6th	6.5	This is a cross-site scripting (XSS) vulnerability in the tagDiv Composer WordPress plugin that allo
7488	CVE-2026-20839	0.05%	13.5th	5.5	This vulnerability allows an authorized attacker on a Windows system to access sensitive information
7489	CVE-2025-2537	0.05%	13.5th	6.4	Multiple WordPress plugins are vulnerable to stored cross-site scripting (XSS) through their bundled
7490	CVE-2025-62044	0.05%	13.6th	6.5	This CVE describes a cross-site scripting (XSS) vulnerability in TheGem Theme Elements plugin for WP
7491	CVE-2025-62248	0.05%	13.8th	4.8	A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated
7492	CVE-2025-64202	0.05%	13.6th	6.5	This DOM-based XSS vulnerability in the Sahifa WordPress theme allows attackers to inject malicious
7493	CVE-2025-64204	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the SmartMag WordPress theme allows attacker
7494	CVE-2025-64208	0.05%	13.6th	6.5	This DOM-based cross-site scripting vulnerability in the TieLabs Jannah - Extensions WordPress plugi
7495	CVE-2025-55093	0.05%	13.8th	5.3	This vulnerability in NetX Duo's IPv4 packet handling allows an attacker to read 4 bytes of memory b
7496	CVE-2025-56226	0.05%	13.6th	5.3	Libsndfile versions up to 1.2.2 contain a memory leak vulnerability in the MPEG Layer 3 encoder init
7497	CVE-2025-62051	0.05%	13.6th	6.5	This is a cross-site scripting (XSS) vulnerability in the UDesign Core WordPress plugin that allows
7498	CVE-2025-24136	0.05%	13.6th	4.4	This macOS vulnerability allows malicious applications to create symbolic links to protected disk re
7499	CVE-2025-64220	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in Rey Core WordPress plugin allows attackers t
7500	CVE-2025-11267	0.05%	13.7th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i

← Previous Page 150 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free