Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8001	CVE-2025-43551	0.04%	12.5th	5.5	Substance3D Stager versions 3.1.1 and earlier contain an out-of-bounds read vulnerability that could
8002	CVE-2026-1978	0.04%	12.5th	5.3	A direct request vulnerability in kalyan02 NanoCMS up to version 0.4 allows attackers to remotely ma
8003	CVE-2025-64294	0.04%	12.5th	5.3	This CVE describes a missing authorization vulnerability in the WP Snow Effect WordPress plugin that
8004	CVE-2025-48252	0.04%	12.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the WPFactory Back Button Widget WordPress p
8005	CVE-2025-48254	0.04%	12.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the WPFactory Change Add to Cart Button Text
8006	CVE-2025-7700	0.04%	12.6th	5.3	This vulnerability in FFmpeg's ALS audio decoder allows attackers to cause denial of service by cras
8007	CVE-2025-60639	0.04%	12.6th	6.5	This CVE involves hardcoded credentials in the ATLAS-EPIC software, allowing attackers to gain unaut
8008	CVE-2025-38145	0.04%	12.7th	5.5	A NULL pointer dereference vulnerability exists in the Linux kernel's aspeed_lpc_enable_snoop() func
8009	CVE-2025-48256	0.04%	12.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Import Social Events plugin al
8010	CVE-2025-66306	0.04%	12.7th	4.3	Grav CMS versions before 1.8.0-beta.27 contain an IDOR vulnerability in the admin panel that allows
8011	CVE-2025-5975	0.04%	12.4th	4.3	This cross-site scripting (XSS) vulnerability in PHPGurukul Rail Pass Management System allows attac
8012	CVE-2025-14110	0.04%	12.5th	6.4	The WP Js List Pages Shortcodes WordPress plugin has a stored XSS vulnerability in all versions up t
8013	CVE-2025-47220	0.04%	12.5th	5.3	This vulnerability allows admin users in Keyfactor SignServer to enumerate local files by setting th
8014	CVE-2025-48263	0.04%	12.6th	6.5	This stored cross-site scripting (XSS) vulnerability in MultiVendorX WordPress plugin allows attacke
8015	CVE-2025-48270	0.04%	12.6th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the SKT Blocks WordPress plugin allows at
8016	CVE-2025-53637	0.04%	12.6th	4.1	This CVE describes a command injection vulnerability in Meshtastic's GitHub Actions workflow that al
8017	CVE-2026-24777	0.04%	12.4th	6.7	OpenProject versions before 17.0.2 contain a missing authorization vulnerability where users with 'M
8018	CVE-2025-12289	0.04%	12.5th	4.3	This vulnerability allows attackers to execute cross-site scripting (XSS) attacks by manipulating th
8019	CVE-2025-12290	0.04%	12.5th	4.3	This vulnerability allows attackers to inject malicious scripts into the Suishang Enterprise-Level B
8020	CVE-2025-12351	0.04%	12.6th	6.8	Honeywell S35 Series Cameras have an authorization bypass vulnerability in the user controller key t
8021	CVE-2025-14555	0.04%	12.5th	6.4	This stored XSS vulnerability in the Countdown Timer WordPress plugin allows authenticated attackers
8022	CVE-2025-43541	0.04%	12.7th	4.3	A type confusion vulnerability in Apple's Safari browser and related operating systems could cause u
8023	CVE-2025-5144	0.04%	12.6th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
8024	CVE-2025-48132	0.04%	12.6th	6.5	This stored cross-site scripting (XSS) vulnerability in pencilwp X Addons for Elementor allows attac
8025	CVE-2025-46261	0.04%	12.7th	5.9	This stored cross-site scripting (XSS) vulnerability in the Seriously Simple Podcasting WordPress pl
8026	CVE-2025-11879	0.04%	12.5th	6.5	The GenerateBlocks WordPress plugin has an authorization bypass vulnerability that allows authentica
8027	CVE-2025-64296	0.04%	12.5th	5.3	This CVE describes a missing authorization vulnerability in Facebook for WooCommerce plugin that all
8028	CVE-2025-11705	0.04%	12.6th	6.5	This vulnerability in the Anti-Malware Security and Brute-Force Firewall WordPress plugin allows aut
8029	CVE-2024-57839	0.04%	12.7th	5.5	A Linux kernel readahead vulnerability causes occasional system hangs when used with NFS (Network Fi
8030	CVE-2025-11439	0.04%	12.4th	4.3	This vulnerability allows unauthorized access to the /show/integrations endpoint in JhumanJ OpnForm
8031	CVE-2025-49042	0.04%	12.4th	5.9	This stored cross-site scripting (XSS) vulnerability in WooCommerce allows attackers to inject malic
8032	CVE-2025-5732	0.04%	12.6th	4.3	This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) attacks against the
8033	CVE-2025-62018	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the Kallyas WordPress theme that allows
8034	CVE-2025-11440	0.04%	12.4th	4.3	This vulnerability in JhumanJ OpnForm up to version 1.9.3 allows improper access controls via the /e
8035	CVE-2025-46443	0.04%	12.7th	4.9	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Adam Pery Animate WordP
8036	CVE-2025-54791	0.04%	12.7th	5.3	This vulnerability in OMERO.web's password reset functionality allows information disclosure about u
8037	CVE-2025-64199	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the WpEstate wpresidence WordPress theme
8038	CVE-2025-48095	0.04%	12.4th	5.9	This stored XSS vulnerability in the Survey Maker WordPress plugin allows attackers to inject malici
8039	CVE-2025-64200	0.04%	12.4th	5.9	This stored XSS vulnerability in VillaTheme's Email Template Customizer for WooCommerce plugin allow
8040	CVE-2026-0853	0.04%	12.5th	5.3	Certain A-Plus Video Technologies NVR models expose sensitive device status information through an u
8041	CVE-2025-53743	0.04%	12.6th	5.3	Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier expose Applitools API keys in plain text
8042	CVE-2025-64211	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the Masterstudy Elementor Widgets WordPr
8043	CVE-2025-53821	0.04%	12.7th	4.7	This CVE describes an Open Redirect vulnerability in WeGIA web management software where attackers c
8044	CVE-2025-54076	0.04%	12.4th	6.5	A reflected cross-site scripting (XSS) vulnerability in WeGIA versions before 3.4.6 allows attackers
8045	CVE-2025-49374	0.04%	12.6th	5.3	This Server-Side Request Forgery (SSRF) vulnerability in the captcha.eu WordPress plugin allows atta
8046	CVE-2025-54078	0.04%	12.4th	6.5	A reflected cross-site scripting (XSS) vulnerability in WeGIA web management software allows attacke
8047	CVE-2022-49406	0.04%	12.7th	5.5	A race condition vulnerability in the Linux kernel's block layer could cause a deadlock when reading
8048	CVE-2025-52517	0.04%	12.6th	5.9	A race condition vulnerability in the issimian device driver for Samsung Exynos processors causes a
8049	CVE-2025-49899	0.04%	12.6th	5.3	This vulnerability allows unauthorized users to access functionality that should be restricted by pr
8050	CVE-2025-68275	0.04%	12.5th	4.8	ChurchCRM versions before 6.5.3 have a stored cross-site scripting vulnerability on three people man

← Previous Page 161 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free