Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7601	CVE-2025-7895	0.05%	13.7th	6.3	This critical vulnerability in MoneyPrinterTurbo allows remote attackers to upload arbitrary files w
7602	CVE-2025-64381	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Booking Calendar WordPress plugin allows
7603	CVE-2025-64383	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Qi Blocks WordPress plugin allows attack
7604	CVE-2024-13580	0.05%	13.7th	4.3	The XV Random Quotes WordPress plugin through version 1.40 lacks CSRF protection in its settings upd
7605	CVE-2025-12136	0.05%	13.5th	6.8	This SSRF vulnerability in the Real Cookie Banner WordPress plugin allows authenticated administrato
7606	CVE-2025-10567	0.05%	13.7th	6.3	This vulnerability allows attackers to conduct reflected cross-site scripting (XSS) attacks against
7607	CVE-2025-33023	0.05%	13.8th	4.1	This vulnerability allows authenticated remote attackers with high privileges to upload arbitrary fi
7608	CVE-2025-66090	0.05%	13.6th	6.5	This DOM-based XSS vulnerability in the SKT Skill Bar WordPress plugin allows attackers to inject ma
7609	CVE-2025-66091	0.05%	13.6th	6.5	This DOM-based XSS vulnerability in the Stylish Cost Calculator WordPress plugin allows attackers to
7610	CVE-2024-0131	0.05%	13.8th	4.4	The NVIDIA GPU kernel driver for Windows and Linux contains a buffer length validation vulnerability
7611	CVE-2025-66092	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Accordion Slider WordPress plugin allows
7612	CVE-2025-66093	0.05%	13.6th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in the Extensions for Leaflet Map WordPress
7613	CVE-2025-52899	0.05%	13.7th	5.3	This vulnerability in Tuleap's forgot password form allows attackers to enumerate valid usernames by
7614	CVE-2025-66098	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Travelers' Map WordPress plugin allows a
7615	CVE-2025-53902	0.05%	13.5th	4.3	This CVE describes an authorization bypass vulnerability in Tuleap where authenticated users can acc
7616	CVE-2025-14522	0.05%	13.6th	6.3	This CVE describes an unrestricted file upload vulnerability in baowzh hfly's upload_json.php compon
7617	CVE-2025-62267	0.05%	13.8th	6.1	This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP tha
7618	CVE-2025-49419	0.05%	13.5th	5.5	This vulnerability in Foxit eSign for WordPress allows unauthorized users to retrieve embedded sensi
7619	CVE-2025-13835	0.05%	13.6th	6.5	This stored XSS vulnerability in the Arconix Shortcodes WordPress plugin allows attackers to inject
7620	CVE-2025-8228	0.05%	13.6th	6.3	This critical vulnerability in ChanCMS allows attackers to perform server-side request forgery (SSRF
7621	CVE-2025-11987	0.05%	13.7th	6.4	The Visual Link Preview WordPress plugin up to version 2.2.7 has a stored XSS vulnerability in its s
7622	CVE-2025-50434	0.05%	13.7th	5.3	This CVE describes an access control vulnerability in Appian Enterprise BPM version 25.3 that could
7623	CVE-2024-57978	0.05%	13.7th	5.5	This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's imx-jpeg media dri
7624	CVE-2023-28907	0.04%	13.4th	6.7	This vulnerability allows an attacker with access to the MIB3 infotainment system's main OS to compr
7625	CVE-2024-13118	0.04%	13.1th	4.3	The IP Based Login WordPress plugin before version 2.4.1 lacks CSRF protection on certain endpoints,
7626	CVE-2025-5546	0.04%	13.3th	6.3	This critical SQL injection vulnerability in PHPGurukul Daily Expense Tracker System allows remote a
7627	CVE-2025-13627	0.04%	13.2th	4.4	The Makesweat WordPress plugin has a stored XSS vulnerability in the 'makesweat_clubid' setting that
7628	CVE-2025-8529	0.04%	13.2th	6.3	This critical vulnerability in cloudfavorites favorites-web allows attackers to perform server-side
7629	CVE-2024-13511	0.04%	13.4th	4.3	This vulnerability allows attackers to reset plugin settings without proper authentication in Variat
7630	CVE-2025-21533	0.04%	13.2th	5.5	This vulnerability in Oracle VM VirtualBox allows a low-privileged attacker with local access to the
7631	CVE-2025-35436	0.04%	13.1th	5.3	CVE-2025-35436 is an uncaught exception vulnerability in CISA Thorium's account verification email h
7632	CVE-2025-64753	0.04%	13.4th	5.3	This vulnerability in grist-core allows users with partial read access to documents to view sensitiv
7633	CVE-2025-5554	0.04%	13.3th	6.3	This critical vulnerability in PHPGurukul Rail Pass Management System 1.0 allows remote attackers to
7634	CVE-2023-52976	0.04%	13.3th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's EFI subsystem could cause kernel pani
7635	CVE-2021-47856	0.04%	13.1th	6.4	Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the sea
7636	CVE-2025-5557	0.04%	13.3th	6.3	This critical SQL injection vulnerability in PHPGurukul Teacher Subject Allocation Management System
7637	CVE-2026-26188	0.04%	13.3th	5.4	The Solspace Freeform plugin for Craft CMS 5.x contains a stored cross-site scripting (XSS) vulnerab
7638	CVE-2024-32123	0.04%	13.1th	6.7	This CVE describes an OS command injection vulnerability in Fortinet FortiManager and FortiAnalyzer
7639	CVE-2021-47908	0.04%	13.1th	6.4	Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parame
7640	CVE-2025-8663	0.04%	13.1th	6.5	This vulnerability in upKeeper Manager logs sensitive domain credentials in log files, potentially e
7641	CVE-2025-9522	0.04%	13.3th	5.3	This CVE describes a blind Server-Side Request Forgery vulnerability in Omada Controllers that allow
7642	CVE-2021-47914	0.04%	13.2th	6.4	PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submit
7643	CVE-2025-7616	0.04%	13.3th	5.5	A critical memory corruption vulnerability exists in the pthread_cond_destroy function of gmg137 sna
7644	CVE-2025-10124	0.04%	13.4th	4.5	The Booking Manager WordPress plugin before version 2.1.15 contains a shortcode that deletes booking
7645	CVE-2025-29844	0.04%	13.4th	4.3	This vulnerability allows remote authenticated users to read file metadata and path information thro
7646	CVE-2025-29845	0.04%	13.4th	4.3	This vulnerability allows authenticated users to read .srt subtitle files on Synology Video Station
7647	CVE-2025-5784	0.04%	13.3th	6.3	This critical SQL injection vulnerability in PHPGurukul Employee Record Management System 1.3 allows
7648	CVE-2026-24532	0.04%	13.2th	4.3	This CVE describes a Missing Authorization vulnerability in the SiteLock Security WordPress plugin t
7649	CVE-2025-42996	0.04%	13.4th	5.6	SAP MDM Server has a session fixation vulnerability (CWE-590) that allows attackers to hijack existi
7650	CVE-2022-50942	0.04%	13.3th	5.4	CVE-2022-50942 is a client-side cross-site scripting vulnerability in Icinga Web 2.8.2 that allows a

← Previous Page 153 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free