Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8151	CVE-2025-62721	0.04%	12.6th	6.5	This vulnerability in LinkAce allows any authenticated user to access all links, lists, and tags fro
8152	CVE-2024-13510	0.04%	12.5th	6.1	The ShopSite WordPress plugin has a Cross-Site Request Forgery vulnerability that allows attackers t
8153	CVE-2024-13522	0.04%	12.5th	6.1	This CSRF vulnerability in the magayo Lottery Results WordPress plugin allows attackers to trick adm
8154	CVE-2025-63384	0.04%	12.6th	6.5	This vulnerability in RISC-V Rocket-Chip allows privilege escalation by failing to properly downgrad
8155	CVE-2025-43754	0.04%	12.7th	5.3	This CVE describes a username enumeration vulnerability in Liferay Portal and DXP where attackers ca
8156	CVE-2025-49270	0.04%	12.6th	5.3	This vulnerability allows unauthorized users to access functionality that should be restricted by ac
8157	CVE-2025-64276	0.04%	12.6th	6.5	This CVE describes a missing authorization vulnerability in the Ays Pro Survey Maker WordPress plugi
8158	CVE-2025-64277	0.04%	12.5th	5.3	This CVE describes a Missing Authorization vulnerability in the QuantumCloud ChatBot WordPress plugi
8159	CVE-2025-7489	0.04%	12.7th	6.3	This critical SQL injection vulnerability in PHPGurukul Vehicle Parking Management System allows rem
8160	CVE-2025-47632	0.04%	12.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Awesome Gallery WordPress plugin allows
8161	CVE-2025-14385	0.04%	12.5th	6.4	The WP Recipe Maker WordPress plugin has a stored XSS vulnerability in the 'name' parameter of the w
8162	CVE-2025-64369	0.04%	12.6th	6.5	This CVE describes a missing authorization vulnerability in the Contact Form Email WordPress plugin
8163	CVE-2025-64370	0.04%	12.5th	5.3	This CVE describes a missing authorization vulnerability in the YOP Poll WordPress plugin that allow
8164	CVE-2025-66059	0.04%	12.6th	5.3	This vulnerability in Seriously Simple Podcasting WordPress plugin allows unauthorized users to retr
8165	CVE-2025-66060	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the Seriously Simple Podcasting WordPres
8166	CVE-2025-53858	0.04%	12.7th	5.4	ChatLuck contains a cross-site scripting (XSS) vulnerability in its Chat Rooms feature that allows a
8167	CVE-2024-48894	0.04%	12.6th	5.9	This CVE describes a cleartext transmission vulnerability in Socomec DIRIS Digiware M-70's WEBVIEW-M
8168	CVE-2025-13704	0.04%	12.5th	6.4	The Autogen Headers Menu WordPress plugin has a stored XSS vulnerability that allows authenticated a
8169	CVE-2025-66065	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the Gutenverse WordPress plugin that all
8170	CVE-2026-21851	0.04%	12.6th	5.3	This CVE describes a Path Traversal (Zip Slip) vulnerability in MONAI's _download_from_ngc_private()
8171	CVE-2025-13793	0.04%	12.5th	4.3	This CVE describes a cross-site scripting (XSS) vulnerability in the winston-dsouza Ecommerce-Websit
8172	CVE-2025-13404	0.04%	12.5th	5.3	The atec Duplicate Page & Post WordPress plugin has an authorization vulnerability that allows authe
8173	CVE-2025-14074	0.04%	12.7th	5.3	The PDF for Contact Form 7 + Drag and Drop Template Builder WordPress plugin has an authorization by
8174	CVE-2025-13967	0.04%	12.5th	6.4	The Woodpecker for WordPress plugin has a stored cross-site scripting vulnerability in the 'form_nam
8175	CVE-2026-22646	0.04%	12.6th	4.3	This CVE describes an information disclosure vulnerability where error messages reveal internal syst
8176	CVE-2025-60135	0.04%	12.4th	5.9	This stored cross-site scripting (XSS) vulnerability in the WeShare Buttons WordPress plugin allows
8177	CVE-2025-43788	0.04%	12.7th	4.3	This vulnerability allows authenticated users in Liferay Portal/DXP to enumerate all organizations w
8178	CVE-2025-66086	0.04%	12.6th	5.3	This CVE describes a Missing Authorization vulnerability in the Cozy Vision SMS Alert Order Notifica
8179	CVE-2025-66087	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the PropertyHive WordPress plugin that a
8180	CVE-2025-9955	0.04%	12.7th	5.7	An improper access control vulnerability in WSO2 Enterprise Integrator allows low-privileged users t
8181	CVE-2024-45320	0.04%	12.4th	6.5	An out-of-bounds write vulnerability in Fujifilm DocuPrint multifunction printers allows attackers t
8182	CVE-2025-49463	0.04%	12.5th	6.5	An information disclosure vulnerability in Zoom iOS clients allows unauthenticated attackers to acce
8183	CVE-2025-66605	0.04%	12.6th	5.3	A vulnerability in Yokogawa's FAST/TOOLS software allows browser autocomplete to save sensitive inpu
8184	CVE-2025-1206	0.04%	12.6th	6.3	This critical SQL injection vulnerability in Codezips Gym Management System 1.0 allows remote attack
8185	CVE-2025-10876	0.04%	12.4th	5.3	This CVE describes a cross-site scripting (XSS) vulnerability in Talent Software e-BAP Automation th
8186	CVE-2025-14065	0.04%	12.7th	5.3	The Simple Bike Rental WordPress plugin has an authorization vulnerability that allows authenticated
8187	CVE-2025-43891	0.04%	12.7th	5.3	Dell PowerProtect Data Domain systems using vulnerable DD OS versions contain a broken cryptographic
8188	CVE-2025-39363	0.04%	12.6th	6.5	This stored XSS vulnerability in the Custom Login and Registration WordPress plugin allows attackers
8189	CVE-2025-54471	0.04%	12.6th	6.5	NeuVector containers had a hard-coded cryptographic key in source code that was replaced with the ac
8190	CVE-2025-64336	0.04%	12.6th	5.4	ClipBucket v5 versions 5.5.2-#146 and below contain a stored XSS vulnerability in the Manage Photos
8191	CVE-2021-43768	0.04%	12.6th	5.3	This vulnerability allows local attackers to escalate privileges via the COM interface in Malwarebyt
8192	CVE-2025-14518	0.04%	12.6th	6.3	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PowerJob's network request
8193	CVE-2025-11917	0.04%	12.7th	6.4	The WPeMatico RSS Feed Fetcher plugin for WordPress has a Server-Side Request Forgery (SSRF) vulnera
8194	CVE-2025-66099	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the ThemeAtelier Chat Help WordPress plu
8195	CVE-2025-43913	0.04%	12.6th	5.3	Dell PowerProtect Data Domain systems running affected DD OS versions contain a broken cryptographic
8196	CVE-2025-66107	0.04%	12.6th	5.3	This CVE describes a Missing Authorization vulnerability in the Subscriptions & Memberships for PayP
8197	CVE-2025-60266	0.04%	12.7th	6.5	This SQL injection vulnerability in xckk v9.6 allows attackers to manipulate database queries throug
8198	CVE-2025-67851	0.04%	12.7th	6.1	A formula injection vulnerability in Moodle allows remote attackers to embed malicious formulas in e
8199	CVE-2025-66109	0.04%	12.6th	5.3	This CVE describes a missing authorization vulnerability in the Cart Weight for WooCommerce plugin t
8200	CVE-2025-66110	0.04%	12.6th	5.3	This CVE describes a Missing Authorization vulnerability in the bPlugins Tiktok Feed WordPress plugi

← Previous Page 164 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free