Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8201	CVE-2026-0386	0.14%	33.4th	7.5	This vulnerability allows an unauthorized attacker on an adjacent network to execute arbitrary code
8202	CVE-2025-53592	0.14%	33.4th	6.5	A NULL pointer dereference vulnerability in QNAP operating systems allows authenticated remote attac
8203	CVE-2025-44013	0.14%	33.4th	6.5	A NULL pointer dereference vulnerability in QNAP operating systems allows authenticated remote attac
8204	CVE-2025-0753	0.13%	33.3th	6.3	A critical heap-based buffer overflow vulnerability in Axiomatic Bento4's mp42aac component allows r
8205	CVE-2025-24782	0.13%	33.3th	6.5	This vulnerability allows attackers to include local files on the server through improper filename c
8206	CVE-2025-24361	0.13%	33.3th	5.3	This vulnerability allows attackers to steal source code from Nuxt applications during development w
8207	CVE-2025-21554	0.13%	33.3th	5.3	An unauthenticated attacker can exploit this vulnerability via HTTP to read sensitive data from Orac
8208	CVE-2025-0441	0.13%	33.2th	6.5	This vulnerability in Google Chrome's Fenced Frames implementation allows attackers to extract poten
8209	CVE-2023-24012	0.13%	33.3th	8.2	This vulnerability allows attackers with valid certificates to craft malicious DDS Participants or R
8210	CVE-2023-24011	0.13%	33.3th	8.2	This vulnerability allows attackers with valid certificates to create malicious DDS Participants or
8211	CVE-2023-24010	0.13%	33.3th	8.2	This vulnerability allows attackers with valid certificates to craft malicious DDS Participants or R
8212	CVE-2025-0340	0.13%	33.2th	7.3	This critical SQL injection vulnerability in Cinema Seat Reservation System 1.0 allows attackers to
8213	CVE-2024-45553	0.13%	33.2th	7.8	This CVE describes a use-after-free vulnerability in Qualcomm components where memory corruption can
8214	CVE-2024-21464	0.13%	33.2th	8.4	This CVE describes a memory corruption vulnerability in Qualcomm's IPA (IP Accelerator) statistics p
8215	CVE-2024-37925	0.13%	33.3th	5.4	This CSRF vulnerability in BuddyBoss Theme allows attackers to trick authenticated users into perfor
8216	CVE-2024-37438	0.13%	33.3th	5.4	A Cross-Site Request Forgery (CSRF) vulnerability in Uncanny Toolkit Pro for LearnDash WordPress plu
8217	CVE-2024-37508	0.13%	33.2th	4.3	This CSRF vulnerability in the Rara Theme Construction Landing Page WordPress theme allows attackers
8218	CVE-2025-23405	0.13%	33.2th	5.3	This vulnerability involves improper output neutralization for logs (CWE-117) in DarioHealth medical
8219	CVE-2025-26935	0.13%	33.2th	7.5	This CVE describes a path traversal vulnerability in the WP Job Portal WordPress plugin that allows
8220	CVE-2023-51305	0.13%	33.1th	5.4	PHPJabbers Car Park Booking System v3.0 contains multiple stored cross-site scripting vulnerabilitie
8221	CVE-2025-25994	0.13%	33.3th	7.5	This SQL injection vulnerability in FeMiner wms 1.0 allows remote attackers to execute arbitrary SQL
8222	CVE-2024-38307	0.13%	33.3th	7.7	This vulnerability in Intel AMT and Standard Manageability firmware allows authenticated users to ca
8223	CVE-2025-24896	0.13%	33.3th	8.1	Misskey versions 12.109.0 through 2025.2.0-alpha.0 fail to delete authentication tokens from cookies
8224	CVE-2025-28096	0.13%	33.3th	5.4	OneNav 1.1.0 contains a Server-Side Request Forgery (SSRF) vulnerability in custom headers functiona
8225	CVE-2025-2319	0.13%	33.1th	8.8	This CSRF vulnerability in the EZ SQL Reports Shortcode Widget and DB Backup WordPress plugin allows
8226	CVE-2025-48336	0.13%	33.2th	9.8	A deserialization vulnerability in ThimPress Course Builder WordPress theme allows attackers to inje
8227	CVE-2025-47568	0.13%	33.2th	9.8	This CVE describes a PHP object injection vulnerability in the ZoomSounds WordPress plugin that allo
8228	CVE-2025-47530	0.13%	33.2th	9.8	This vulnerability allows attackers to inject malicious PHP objects through deserialization of untru
8229	CVE-2025-39503	0.13%	33.2th	9.8	This vulnerability allows remote attackers to execute arbitrary code via PHP object injection throug
8230	CVE-2025-39500	0.13%	33.2th	9.8	This vulnerability allows remote attackers to execute arbitrary code through PHP object injection vi
8231	CVE-2025-39495	0.13%	33.2th	9.8	A PHP object injection vulnerability in the BoldThemes Avantage WordPress theme allows attackers to
8232	CVE-2025-39480	0.13%	33.2th	9.8	This vulnerability allows attackers to execute arbitrary code on WordPress sites using the Car Deale
8233	CVE-2025-32292	0.13%	33.2th	9.8	This vulnerability allows remote attackers to execute arbitrary code on WordPress sites using the Ja
8234	CVE-2025-31927	0.13%	33.2th	9.8	CVE-2025-31927 is a PHP object injection vulnerability in the Acerola WordPress theme that allows at
8235	CVE-2025-31631	0.13%	33.2th	9.8	This CVE describes a PHP object injection vulnerability in the Fish House WordPress theme due to ins
8236	CVE-2025-31423	0.13%	33.2th	9.8	CVE-2025-31423 is a PHP object injection vulnerability in the Umberto WordPress theme that allows at
8237	CVE-2025-31069	0.13%	33.2th	9.8	This vulnerability allows attackers to inject malicious objects through deserialization of untrusted
8238	CVE-2025-31049	0.13%	33.2th	9.8	CVE-2025-31049 is a PHP object injection vulnerability in the Dash WordPress theme that allows attac
8239	CVE-2025-24977	0.13%	33.2th	9.1	OpenCTI versions before 6.4.11 contain a critical vulnerability where users with 'manage customizati
8240	CVE-2025-36595	0.13%	33.2th	7.2	Dell Unisphere for PowerMax vApp version 9.2.4.x contains a static code injection vulnerability that
8241	CVE-2026-1358	0.13%	33.1th	9.8	Airleader Master versions 6.381 and prior have unrestricted file upload functionality on multiple we
8242	CVE-2025-7641	0.13%	33.2th	7.5	The Assistant for NextGEN Gallery WordPress plugin has an unauthenticated directory deletion vulnera
8243	CVE-2025-20334	0.13%	33.2th	8.8	A command injection vulnerability in Cisco IOS XE's HTTP API allows authenticated attackers or socia
8244	CVE-2025-54101	0.13%	33.2th	4.8	A use-after-free vulnerability in Windows SMBv3 Client allows authenticated attackers to execute arb
8245	CVE-2025-48530	0.13%	33.3th	8.1	CVE-2025-48530 is an out-of-bounds memory access vulnerability in Android that could allow remote co
8246	CVE-2025-12450	0.13%	33.2th	6.1	The LiteSpeed Cache WordPress plugin has a reflected cross-site scripting vulnerability that allows
8247	CVE-2025-12017	0.13%	33.2th	6.1	The VNPAY Payment gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS)
8248	CVE-2025-9163	0.13%	33.2th	6.1	The Houzez WordPress theme allows unauthenticated attackers to upload malicious SVG files containing
8249	CVE-2025-11885	0.13%	33.2th	6.1	The EchBay Admin Security WordPress plugin is vulnerable to reflected cross-site scripting (XSS) via
8250	CVE-2025-12079	0.13%	33.2th	6.1	The WP Twitter Auto Publish WordPress plugin contains a reflected cross-site scripting (XSS) vulnera

← Previous Page 165 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free