Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8301	CVE-2025-22669	0.04%	12.2th	4.3	This CSRF vulnerability in the Awesome Event Booking WordPress plugin allows attackers to trick auth
8302	CVE-2025-62715	0.04%	12.1th	5.4	ClipBucket v5 versions 5.5.2-#147 and below contain a stored XSS vulnerability in the Collection tag
8303	CVE-2025-2796	0.04%	12.3th	5.3	Arista EOS devices with hardware IPSec support and anti-replay protection configured may forward dup
8304	CVE-2024-7142	0.04%	12.1th	4.6	This vulnerability affects Arista CloudVision Appliance (CVA) DCA-350E-CV models where hardware disk
8305	CVE-2026-25566	0.04%	12.2th	5.4	This CVE describes an authorization vulnerability in WeKan's card movement functionality. Users can
8306	CVE-2025-14356	0.04%	12.1th	4.3	The Ultra Addons for Contact Form 7 WordPress plugin has an authorization bypass vulnerability that
8307	CVE-2025-15144	0.04%	12.1th	4.3	This is a cross-site scripting (XSS) vulnerability in XunRuiCMS that allows attackers to inject mali
8308	CVE-2025-11933	0.04%	12.2th	6.5	A vulnerability in wolfSSL's TLS 1.3 CKS extension parsing allows remote attackers to cause denial-o
8309	CVE-2022-50682	0.04%	12.2th	6.5	A CRLF injection vulnerability in Kentico Xperience's routing engine allows attackers to manipulate
8310	CVE-2025-66056	0.04%	12.1th	4.3	This vulnerability in the Uncanny Automator WordPress plugin allows unauthorized users to retrieve e
8311	CVE-2025-8874	0.04%	12.2th	6.4	This vulnerability allows authenticated attackers with Contributor-level access or higher to inject
8312	CVE-2025-70311	0.04%	12.3th	6.5	JEEWMS 1.0 contains a SQL injection vulnerability in the /systemControl.do interface where attackers
8313	CVE-2025-59575	0.04%	12.1th	5.0	This vulnerability in MasterStudy LMS WordPress plugin allows unauthorized users to retrieve embedde
8314	CVE-2025-6987	0.04%	12.2th	6.4	The Advanced iFrame WordPress plugin has a stored XSS vulnerability that allows authenticated attack
8315	CVE-2025-59578	0.04%	12.2th	5.8	This vulnerability in ShopMagic for WooCommerce allows attackers to retrieve embedded sensitive data
8316	CVE-2026-1424	0.04%	12.2th	4.7	CVE-2026-1424 is an unrestricted file upload vulnerability in PHPGurukul News Portal 1.0's Profile P
8317	CVE-2025-47664	0.04%	12.2th	4.4	This SSRF vulnerability in ThimPress WP Pipes WordPress plugin allows attackers to make unauthorized
8318	CVE-2025-48377	0.04%	12.3th	5.4	This Cross-Site Scripting (XSS) vulnerability in DNN CMS allows attackers to inject malicious script
8319	CVE-2025-64302	0.04%	12.1th	6.4	This CVE describes a cross-site scripting (XSS) vulnerability in dashboard components where insuffic
8320	CVE-2025-9500	0.04%	12.2th	6.4	The TablePress WordPress plugin has a stored cross-site scripting vulnerability that allows authenti
8321	CVE-2025-4133	0.04%	12.2th	5.4	This vulnerability allows users with contributor-level permissions in WordPress to inject malicious
8322	CVE-2025-43799	0.04%	12.3th	6.5	This vulnerability allows remote users to access and edit content via APIs before changing their ini
8323	CVE-2025-7732	0.04%	12.2th	6.4	The Lazy Load for Videos WordPress plugin has a stored cross-site scripting vulnerability in version
8324	CVE-2025-22637	0.04%	12.2th	4.3	This CSRF vulnerability in verkkovaraani Print PDF Generator and Publisher WordPress plugin allows a
8325	CVE-2026-24674	0.04%	12.1th	4.7	CVE-2026-24674 is a reflected cross-site scripting vulnerability in Open eClass (formerly GUnet eCla
8326	CVE-2025-9126	0.04%	12.2th	6.4	The Smart Table Builder WordPress plugin has a stored XSS vulnerability in all versions up to 1.0.1.
8327	CVE-2025-14889	0.04%	12.2th	5.4	CVE-2025-14889 is an authorization bypass vulnerability in Campcodes Advanced Voting Management Syst
8328	CVE-2025-37929	0.04%	12.2th	5.5	A missing sentinel entry in ARM64 Spectre-BHB workaround arrays in the Linux kernel causes a kernel
8329	CVE-2023-54328	0.04%	12.3th	6.5	AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulnerability in its registration f
8330	CVE-2025-9400	0.04%	12.4th	6.3	This vulnerability in YiFang CMS allows remote attackers to upload arbitrary files without restricti
8331	CVE-2025-6981	0.04%	12.3th	4.3	An incorrect authorization vulnerability in GitHub Enterprise Server allowed contractor accounts to
8332	CVE-2025-53983	0.04%	12.3th	6.5	This vulnerability in Crocoblock JetElements For Elementor WordPress plugin allows attackers to retr
8333	CVE-2025-53985	0.04%	12.3th	6.5	CVE-2025-53985 is a sensitive data exposure vulnerability in the Crocoblock JetTabs WordPress plugin
8334	CVE-2026-24771	0.04%	12.1th	4.7	This Cross-Site Scripting (XSS) vulnerability in Hono's ErrorBoundary component allows attackers to
8335	CVE-2025-53987	0.04%	12.3th	6.5	This vulnerability in Crocoblock JetMenu WordPress plugin allows attackers to retrieve embedded sens
8336	CVE-2025-64061	0.04%	12.1th	4.3	Primakon Pi Portal 1.0.18's /api/v2/users endpoint lacks proper access controls, allowing any authen
8337	CVE-2025-53988	0.04%	12.3th	6.5	This vulnerability in Crocoblock JetBlocks For Elementor WordPress plugin allows attackers to retrie
8338	CVE-2025-53992	0.04%	12.3th	6.5	This vulnerability in Crocoblock JetTricks WordPress plugin allows attackers to retrieve embedded se
8339	CVE-2025-48025	0.04%	12.3th	4.3	An improper access control vulnerability in Samsung Exynos processors allows unauthorized access to
8340	CVE-2025-53993	0.04%	12.3th	6.5	This vulnerability in Crocoblock's JetPopup WordPress plugin allows attackers to retrieve embedded s
8341	CVE-2025-53998	0.04%	12.3th	6.5	This vulnerability in Crocoblock JetWooBuilder WordPress plugin allows attackers to retrieve embedde
8342	CVE-2025-3660	0.04%	12.2th	6.5	This CVE describes a broken access control vulnerability in the Petlibro Smart Pet Feeder Platform t
8343	CVE-2025-36081	0.04%	12.2th	5.3	IBM Concert Software versions 1.0.0 through 2.0.0 contain a log injection vulnerability (CWE-117) th
8344	CVE-2025-54685	0.04%	12.3th	6.5	This vulnerability in the SureDash WordPress plugin allows attackers to retrieve embedded sensitive
8345	CVE-2025-13722	0.04%	12th	5.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to cr
8346	CVE-2022-49597	0.04%	12th	4.7	This CVE describes a race condition vulnerability in the Linux kernel's TCP implementation where con
8347	CVE-2025-67562	0.04%	12.1th	5.3	This CVE describes a missing authorization vulnerability in the Image Caption Hover Pro WordPress pl
8348	CVE-2025-67563	0.04%	12.1th	5.3	This CVE describes a Missing Authorization vulnerability in the Post SMTP WordPress plugin that allo
8349	CVE-2025-5589	0.04%	11.9th	6.4	This stored XSS vulnerability in the StreamWeasels Kick Integration WordPress plugin allows authenti
8350	CVE-2025-3218	0.04%	11.8th	5.4	IBM i Netserver has authentication and authorization validation flaws that could allow attackers to

← Previous Page 167 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free