Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 8401 | CVE-2025-41750 |
|
32.8th | 7.1 | An unauthenticated cross-site scripting (XSS) vulnerability in pxc_PortCfg.php allows attackers to t | |
| 8402 | CVE-2025-41748 |
|
32.8th | 7.1 | An unauthenticated cross-site scripting (XSS) vulnerability in pxc_Dot1xCfg.php allows attackers to | |
| 8403 | CVE-2025-41747 |
|
32.8th | 7.1 | An unauthenticated cross-site scripting (XSS) vulnerability in pxc_vlanIntfCfg.php allows attackers | |
| 8404 | CVE-2025-41746 |
|
32.8th | 7.1 | An unauthenticated cross-site scripting (XSS) vulnerability in pxc_portSecCfg.php allows attackers t | |
| 8405 | CVE-2025-41694 |
|
32.9th | 6.5 | A low-privileged remote attacker can send a webshell request with an empty command containing whites | |
| 8406 | CVE-2025-66399 |
|
32.9th | 8.8 | This vulnerability allows authenticated Cacti users to inject malicious SNMP community strings conta | |
| 8407 | CVE-2025-14741 |
|
32.8th | 9.1 | The Frontend Admin by DynamiApps WordPress plugin has an authorization bypass vulnerability that all | |
| 8408 | CVE-2026-21675 |
|
32.9th | 9.8 | CVE-2026-21675 is a use-after-free vulnerability in iccDEV's CIccXform::Create() function that can l | |
| 8409 | CVE-2024-40676 |
|
32.7th | 7.7 | This Android vulnerability allows attackers to bypass intent security checks in AccountManagerServic | |
| 8410 | CVE-2024-57041 |
|
32.6th | 4.6 | A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows authenticated users t | |
| 8411 | CVE-2025-24728 |
|
32.7th | 8.5 | This SQL injection vulnerability in the Bug Library WordPress plugin allows attackers to execute arb | |
| 8412 | CVE-2025-0563 |
|
32.6th | 6.3 | CVE-2025-0563 is a critical SQL injection vulnerability in Fantasy-Cricket 1.0 that allows remote at | |
| 8413 | CVE-2025-0561 |
|
32.6th | 6.3 | This critical SQL injection vulnerability in itsourcecode Farm Management System 1.0 allows remote a | |
| 8414 | CVE-2025-23911 |
|
32.7th | 8.5 | This SQL injection vulnerability in the Solidres Hotel Booking WordPress plugin allows attackers to | |
| 8415 | CVE-2025-23785 |
|
32.7th | 4.3 | This CVE describes a missing authorization vulnerability in the August Infotech AI Responsive Galler | |
| 8416 | CVE-2025-0299 |
|
32.6th | 6.3 | A critical SQL injection vulnerability in code-projects Online Book Shop 1.0 allows remote attackers | |
| 8417 | CVE-2025-0298 |
|
32.6th | 6.3 | CVE-2025-0298 is a critical SQL injection vulnerability in code-projects Online Book Shop 1.0 that a | |
| 8418 | CVE-2025-25945 |
|
32.6th | 6.5 | This vulnerability in Bento4 v1.6.0-641 allows attackers to read sensitive information from memory t | |
| 8419 | CVE-2025-25942 |
|
32.6th | 6.5 | A memory leak vulnerability in Bento4's mp4fragment tool allows attackers to cause information discl | |
| 8420 | CVE-2025-1228 |
|
32.7th | 4.3 | This vulnerability allows remote attackers to perform path traversal attacks in olajowon Loggrove's | |
| 8421 | CVE-2025-25203 |
|
32.6th | 8.1 | This Cross-Site Scripting (XSS) vulnerability in CtrlPanel allows attackers to inject malicious scri | |
| 8422 | CVE-2025-1113 |
|
32.6th | 6.3 | This critical vulnerability in tarzan-cms allows remote attackers to execute arbitrary code through | |
| 8423 | CVE-2025-1703 |
|
32.6th | 6.4 | The Ultimate Blocks WordPress plugin has a stored XSS vulnerability that allows authenticated attack | |
| 8424 | CVE-2025-22474 |
|
32.6th | 6.8 | This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Dell SmartFabric OS10 Softw | |
| 8425 | CVE-2024-11640 |
|
32.7th | 8.8 | The VikRentCar WordPress plugin has a CSRF vulnerability that allows attackers to escalate privilege | |
| 8426 | CVE-2025-46342 |
|
32.7th | 8.5 | This vulnerability in Kyverno allows attackers with Kubernetes API access to bypass security-critica | |
| 8427 | CVE-2025-45835 |
|
32.7th | 7.5 | A null pointer dereference vulnerability in Netis WF2880 routers allows attackers to cause denial-of | |
| 8428 | CVE-2025-49454 |
|
32.6th | 8.1 | This CVE describes a PHP Local File Inclusion vulnerability in the TinySalt WordPress theme. Attacke | |
| 8429 | CVE-2025-48126 |
|
32.6th | 8.1 | This vulnerability allows attackers to include local files on the server through improper filename c | |
| 8430 | CVE-2025-28992 |
|
32.6th | 8.1 | This vulnerability allows attackers to include local files on the server through improper filename c | |
| 8431 | CVE-2025-28944 |
|
32.6th | 8.1 | This vulnerability allows attackers to include local files on the server through improper filename c | |
| 8432 | CVE-2025-27362 |
|
32.6th | 8.1 | This vulnerability allows attackers to include local files on the server through improper filename c | |
| 8433 | CVE-2025-24770 |
|
32.6th | 8.1 | This vulnerability allows attackers to include local files on the server through improper filename c | |
| 8434 | CVE-2023-25999 |
|
32.6th | 8.1 | This vulnerability allows attackers to include local files on the server through improper filename c | |
| 8435 | CVE-2025-47586 |
|
32.6th | 9.0 | This CVE describes an unauthenticated Local File Inclusion vulnerability in the WordPress Motors - E | |
| 8436 | CVE-2025-54365 |
|
32.7th | 7.5 | CVE-2025-54365 is a regular expression denial-of-service (ReDoS) vulnerability in fastapi-guard vers | |
| 8437 | CVE-2025-52379 |
|
32.7th | 5.4 | This vulnerability allows authenticated attackers to execute arbitrary operating system commands on | |
| 8438 | CVE-2025-57767 |
|
32.6th | 7.5 | This vulnerability in Asterisk allows remote attackers to cause a denial of service (crash) by sendi | |
| 8439 | CVE-2025-53037 |
|
32.7th | 9.8 | An unauthenticated remote code execution vulnerability in Oracle Financial Services Analytical Appli | |
| 8440 | CVE-2025-54805 |
|
32.7th | 6.5 | This vulnerability in F5 BIG-IP systems causes memory resource exhaustion in the Traffic Management | |
| 8441 | CVE-2025-47150 |
|
32.7th | 6.5 | This vulnerability allows attackers to send specific SNMP requests to F5OS Appliance and Chassis sys | |
| 8442 | CVE-2025-47148 |
|
32.7th | 6.5 | This vulnerability affects BIG-IP systems configured as both SAML service provider and identity prov | |
| 8443 | CVE-2025-55693 |
|
32.7th | 7.4 | This CVE describes a use-after-free vulnerability in the Windows Kernel that allows a local attacker | |
| 8444 | CVE-2025-55681 |
|
32.7th | 7.0 | This vulnerability allows an authorized attacker to perform an out-of-bounds read in Windows Desktop | |
| 8445 | CVE-2025-60833 |
|
32.6th | 6.5 | This XML External Entity (XXE) vulnerability in the uzy-ssm-mall e-commerce platform allows attacker | |
| 8446 | CVE-2025-61588 |
|
32.7th | N/A | This vulnerability in RISC Zero's zkVM platform allows a malicious host to write arbitrary data to g | |
| 8447 | CVE-2025-63807 |
|
32.6th | 9.8 | This vulnerability allows unauthenticated attackers to brute-force verification codes due to weak ge | |
| 8448 | CVE-2025-11994 |
|
32.6th | 7.2 | The Easy Email Subscription WordPress plugin has a stored XSS vulnerability in the 'name' parameter | |
| 8449 | CVE-2025-12967 |
|
32.6th | 8.0 | This vulnerability in AWS Wrappers for Amazon Aurora PostgreSQL allows low-privilege authenticated d | |
| 8450 | CVE-2026-1162 |
|
32.7th | 9.8 | This vulnerability allows remote attackers to execute arbitrary code on UTT HiPER 810 routers by exp |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free