Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7851	CVE-2025-6142	0.04%	12.8th	6.3	This critical vulnerability in Intera InHire allows remote attackers to perform server-side request
7852	CVE-2025-62784	0.04%	12.8th	5.3	This vulnerability allows item duplication in Minecraft servers using the InventoryGui library when
7853	CVE-2025-55078	0.04%	13th	5.5	This vulnerability in Eclipse ThreadX allows attackers to cause denial of service by providing point
7854	CVE-2025-11812	0.04%	12.8th	6.4	The Reuse Builder WordPress plugin has a stored XSS vulnerability in all versions up to 1.7. Authent
7855	CVE-2022-49214	0.04%	13.1th	5.5	This CVE describes a Linux kernel bug on PowerPC systems where SLB (Segment Lookaside Buffer) faults
7856	CVE-2026-24868	0.04%	12.8th	6.5	This CVE describes a mitigation bypass vulnerability in Firefox's Privacy: Anti-Tracking component t
7857	CVE-2025-13054	0.04%	13th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
7858	CVE-2025-65829	0.04%	13.1th	6.8	This CVE describes a missing Secure Boot implementation on ESP32 SoC devices, specifically affecting
7859	CVE-2025-52023	0.04%	13.1th	5.3	This vulnerability in gemscms.aptsys.com.sg's PHP backend allows unauthenticated remote attackers to
7860	CVE-2025-11869	0.04%	13th	6.4	The Precise Columns WordPress plugin has a stored XSS vulnerability in the wrap_id shortcode attribu
7861	CVE-2025-14507	0.04%	13.1th	5.3	The EventPrime WordPress plugin exposes sensitive booking data through its REST API to unauthenticat
7862	CVE-2026-25729	0.04%	13th	6.5	DeepAudit versions 3.0.4 and earlier contain an improper access control vulnerability in the /api/v1
7863	CVE-2025-11891	0.04%	12.8th	5.3	The Shelf Planner WordPress plugin exposes sensitive information through publicly accessible log fil
7864	CVE-2025-13971	0.04%	12.9th	4.4	The TWW Protein Calculator WordPress plugin has a stored XSS vulnerability in its 'Header' setting t
7865	CVE-2025-47521	0.04%	13th	5.9	This stored cross-site scripting (XSS) vulnerability in Robo Gallery WordPress plugin allows attacke
7866	CVE-2025-64100	0.04%	13th	6.1	This vulnerability allows attackers to fix session IDs in CKAN when server-side session storage is c
7867	CVE-2025-11763	0.04%	12.8th	6.4	The Display Pages Shortcode WordPress plugin has a stored XSS vulnerability in the 'column_count' pa
7868	CVE-2025-47525	0.04%	13th	5.9	This stored cross-site scripting (XSS) vulnerability in Bold Page Builder WordPress plugin allows at
7869	CVE-2025-11764	0.04%	13th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
7870	CVE-2025-11806	0.04%	12.8th	6.4	The Qzzr Shortcode WordPress plugin has a stored XSS vulnerability that allows authenticated attacke
7871	CVE-2025-25736	0.04%	12.9th	6.8	This vulnerability allows unauthenticated attackers to gain root shell access to Kapsch TrafficCom R
7872	CVE-2025-11765	0.04%	13th	6.4	The Stock Tools WordPress plugin has a stored XSS vulnerability in all versions up to 1.1. Authentic
7873	CVE-2025-11767	0.04%	13th	6.4	The Tips Shortcode WordPress plugin has a stored cross-site scripting vulnerability that allows auth
7874	CVE-2025-7677	0.04%	12.9th	5.9	This vulnerability in ASPECT software allows unauthorized users with local network access to cause a
7875	CVE-2025-11768	0.04%	13th	6.4	The Islamic Phrases WordPress plugin has a stored XSS vulnerability that allows authenticated attack
7876	CVE-2025-11770	0.04%	13th	6.4	The BrightTALK WordPress Shortcode plugin has a stored XSS vulnerability that allows authenticated a
7877	CVE-2025-51734	0.04%	13th	5.4	A cross-site scripting (XSS) vulnerability in HCL Unica 12.0.0 allows attackers to inject malicious
7878	CVE-2025-47946	0.04%	12.8th	6.1	This vulnerability in Symfony UX allows HTML attribute injection and cross-site scripting (XSS) atta
7879	CVE-2025-11799	0.04%	12.8th	6.4	The Affiliate AI Lite WordPress plugin has a stored XSS vulnerability in all versions up to 1.0.1. A
7880	CVE-2025-66459	0.04%	13th	6.1	Lookyloo versions before 1.35.3 contain a cross-site scripting (XSS) vulnerability where malicious H
7881	CVE-2025-11800	0.04%	13th	6.4	The Surbma \| MiniCRM Shortcode WordPress plugin has a stored XSS vulnerability that allows authentic
7882	CVE-2025-11801	0.04%	13th	6.4	The AudioTube WordPress plugin has a stored XSS vulnerability in the 'caption' attribute of its shor
7883	CVE-2025-11802	0.04%	13th	6.4	The Bulma Shortcodes WordPress plugin has a stored XSS vulnerability in the 'bulma-notification' sho
7884	CVE-2022-50590	0.04%	12.9th	5.3	This vulnerability allows remote unauthenticated attackers to exploit a type confusion flaw in Suite
7885	CVE-2025-11857	0.04%	12.8th	6.4	The XX2WP Integration Tools WordPress plugin has a stored XSS vulnerability in the 'mxp_fb2wp_displa
7886	CVE-2024-13115	0.04%	13th	6.1	This vulnerability in the WP Projects Portfolio with Client Testimonials WordPress plugin allows att
7887	CVE-2026-26079	0.04%	13th	4.7	This CVE allows CSS injection in Roundcube Webmail due to improper handling of comments. Attackers c
7888	CVE-2025-64705	0.04%	12.9th	4.3	CVE-2025-64705 is an information disclosure vulnerability in Frappe Learning Management System (LMS)
7889	CVE-2025-12651	0.04%	13th	6.4	This stored XSS vulnerability in the Live Photos WordPress plugin allows authenticated attackers wit
7890	CVE-2025-11270	0.04%	13th	6.4	This stored XSS vulnerability in the Gutenberg Essential Blocks WordPress plugin allows authenticate
7891	CVE-2025-12660	0.04%	12.8th	6.4	The Padlet Shortcode WordPress plugin has a stored XSS vulnerability that allows authenticated attac
7892	CVE-2025-12658	0.04%	12.8th	6.4	The Preload Current Images WordPress plugin has a stored XSS vulnerability that allows authenticated
7893	CVE-2026-1514	0.04%	12.9th	6.5	CVE-2026-1514 is an incorrect authorization vulnerability in 2100 Technology's Official Document Man
7894	CVE-2025-12661	0.04%	12.8th	6.4	The Pollcaster Shortcode Plugin for WordPress has a stored XSS vulnerability in the 'height' paramet
7895	CVE-2025-12663	0.04%	12.8th	6.4	The Jeba Cute forkit WordPress plugin has a stored XSS vulnerability that allows authenticated attac
7896	CVE-2025-10048	0.04%	13.1th	4.9	This SQL injection vulnerability in the My auctions allegro WordPress plugin allows authenticated at
7897	CVE-2025-47592	0.04%	13th	5.9	This stored cross-site scripting (XSS) vulnerability in the Legal Terms and Conditions Popup for Use
7898	CVE-2024-55075	0.04%	12.9th	4.3	This vulnerability in Grocy allows remote attackers to access sensitive information by directly requ
7899	CVE-2025-12667	0.04%	12.8th	6.4	The GitHub Gist Shortcode Plugin for WordPress has a stored cross-site scripting vulnerability that
7900	CVE-2025-12668	0.04%	12.8th	6.4	The WP Count Down Timer WordPress plugin has a stored XSS vulnerability that allows authenticated at

← Previous Page 158 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free