Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8101	CVE-2025-13085	0.04%	12.7th	4.3	The SiteSEO WordPress plugin up to version 1.3.2 has an authorization flaw that allows authenticated
8102	CVE-2025-21833	0.04%	12.7th	5.5	This CVE addresses a NULL pointer dereference vulnerability in the Linux kernel's Intel VT-d (Virtua
8103	CVE-2025-30934	0.04%	12.6th	5.3	This CVE describes a Missing Authorization vulnerability in the OLIVESYSTEM Diagnosis Generator Word
8104	CVE-2025-66370	0.04%	12.5th	5.0	Kivitendo ERP software versions before 3.9.2 contain an XML External Entity (XXE) injection vulnerab
8105	CVE-2025-62189	0.04%	12.6th	4.3	LogStare Collector has an incorrect authorization vulnerability in UserRegistration that allows non-
8106	CVE-2025-13966	0.04%	12.5th	6.4	The PayPal Payment Shortcode WordPress plugin (versions up to 1.01) has a stored XSS vulnerability i
8107	CVE-2025-48878	0.04%	12.4th	4.3	This vulnerability allows authenticated users with Service Desk Agent permissions in Combodo iTop to
8108	CVE-2025-10938	0.04%	12.6th	6.5	The UiPress Lite WordPress plugin has a vulnerability that allows authenticated attackers with subsc
8109	CVE-2025-32098	0.04%	12.5th	5.3	This vulnerability allows attackers to gain SYSTEM privileges on Windows systems by exploiting insec
8110	CVE-2025-10819	0.04%	12.7th	4.3	This vulnerability in fuyang_lipengjun platform 1.0 allows unauthorized access to user coupon data t
8111	CVE-2025-30945	0.04%	12.7th	5.3	This CVE describes a missing authorization vulnerability in the Taskbuilder WordPress plugin that al
8112	CVE-2025-10820	0.04%	12.7th	4.3	This vulnerability in the fuyang_lipengjun platform 1.0 allows unauthorized access to the TopicContr
8113	CVE-2025-13989	0.04%	12.5th	6.4	The WP Dropzone WordPress plugin has a stored XSS vulnerability that allows authenticated attackers
8114	CVE-2025-10821	0.04%	12.7th	4.3	This vulnerability allows unauthorized access to topic category data in fuyang_lipengjun platform 1.
8115	CVE-2025-57943	0.04%	12.7th	4.4	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Skimlinks Affiliate Mar
8116	CVE-2025-8195	0.04%	12.5th	6.4	The JetWidgets For Elementor WordPress plugin has a stored cross-site scripting vulnerability that a
8117	CVE-2025-10822	0.04%	12.7th	4.3	CVE-2025-10822 is an improper authorization vulnerability in the fuyang_lipengjun platform 1.0 that
8118	CVE-2025-64503	0.04%	12.7th	4.0	CVE-2025-64503 is an integer overflow vulnerability in cups-filters' pdftoraster tool that can lead
8119	CVE-2025-21162	0.04%	12.6th	5.5	Photoshop Elements 2025.0 and earlier versions contain a vulnerability where temporary files are cre
8120	CVE-2025-14143	0.04%	12.5th	6.4	The Ayo Shortcodes WordPress plugin has a stored XSS vulnerability in the 'color' parameter of the a
8121	CVE-2025-56499	0.04%	12.6th	6.5	This vulnerability in mihomo v1.19.11 allows authenticated attackers with low-level privileges to re
8122	CVE-2025-15009	0.04%	12.4th	6.3	CVE-2025-15009 is an arbitrary file upload vulnerability in ChestnutCMS up to version 1.5.8 that all
8123	CVE-2025-66027	0.04%	12.6th	6.5	This CVE describes an information disclosure vulnerability in Rallly, an open-source scheduling tool
8124	CVE-2025-62970	0.04%	12.6th	5.3	This CVE describes a Missing Authorization vulnerability in the Link Whisper Free WordPress plugin t
8125	CVE-2025-62973	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the BuddyForms WordPress plugin that all
8126	CVE-2022-49255	0.04%	12.7th	5.5	This CVE-2022-49255 is a Linux kernel vulnerability in the F2FS filesystem where the f2fs_handle_fai
8127	CVE-2025-62976	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the Joovii Sendle Shipping WordPress plu
8128	CVE-2025-62977	0.04%	12.6th	5.3	This CVE describes a Missing Authorization vulnerability in the 沃之涛百度站长SEO合集 Word
8129	CVE-2025-14885	0.04%	12.4th	6.3	This vulnerability allows remote attackers to upload arbitrary files to SourceCodester Client Databa
8130	CVE-2025-13802	0.04%	12.5th	4.3	This CVE describes a cross-site scripting (XSS) vulnerability in the 'Make a Reservation' component
8131	CVE-2025-36149	0.04%	12.5th	6.3	IBM Concert Software versions 1.0.0 through 2.0.0 contain a clickjacking vulnerability (CWE-1021) th
8132	CVE-2025-23039	0.04%	12.5th	5.2	A Cross-Site Scripting (XSS) vulnerability in Caido v0.45.0 allows attackers to execute arbitrary Ja
8133	CVE-2025-11973	0.04%	12.7th	4.9	The 简数采集器 WordPress plugin has an arbitrary file read vulnerability in versions up to 2.6.
8134	CVE-2024-38825	0.04%	12.7th	6.4	This vulnerability allows attackers to bypass PKI authentication in SaltStack by presenting only a p
8135	CVE-2025-54990	0.04%	12.6th	5.3	This vulnerability allows non-admin users to access the AdminTools.SpammedPages page in XWiki AdminT
8136	CVE-2025-42897	0.04%	12.6th	5.3	This CVE describes an information disclosure vulnerability in SAP Business One's anonymous API withi
8137	CVE-2025-49241	0.04%	12.7th	5.3	This CVE describes a Missing Authorization vulnerability in the oik WordPress plugin that allows att
8138	CVE-2021-47725	0.04%	12.7th	5.4	This cross-site scripting vulnerability in STVS ProVision 5.9.10 allows authenticated attackers to i
8139	CVE-2025-64264	0.04%	12.4th	5.9	This stored cross-site scripting (XSS) vulnerability in the Aman Popup addon for Ninja Forms allows
8140	CVE-2025-54962	0.04%	12.6th	6.4	This vulnerability allows authenticated users to upload arbitrary files (like .html or .svg) through
8141	CVE-2025-61931	0.04%	12.7th	5.4	Pleasanter contains a stored cross-site scripting vulnerability in Body, Description, and Comments f
8142	CVE-2025-43782	0.04%	12.7th	4.3	An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP allows authentica
8143	CVE-2025-50709	0.04%	12.7th	4.3	This vulnerability in Perplexity AI GPT-4 allows remote attackers to access sensitive information th
8144	CVE-2025-7481	0.04%	12.7th	6.3	This critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System allows att
8145	CVE-2025-43903	0.04%	12.7th	4.3	This vulnerability in Poppler's PDF processing library allows attackers to forge digital signatures
8146	CVE-2025-13977	0.04%	12.5th	6.4	This stored XSS vulnerability in the Essential Addons for Elementor WordPress plugin allows authenti
8147	CVE-2025-57984	0.04%	12.7th	4.4	This SSRF vulnerability in the MakeStories WordPress plugin allows attackers to make unauthorized re
8148	CVE-2025-62720	0.04%	12.6th	6.5	This vulnerability in LinkAce allows any authenticated user to export the entire database of links,
8149	CVE-2025-49461	0.04%	12.5th	4.3	A cross-site scripting vulnerability in certain Zoom Workplace Clients allows unauthenticated attack
8150	CVE-2025-49268	0.04%	12.7th	5.3	This CVE describes a missing authorization vulnerability in Soft8Soft LLC's Verge3D plugin for WordP

← Previous Page 163 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free