Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8401	CVE-2025-8792	0.04%	11.8th	4.3	This vulnerability in LitmusChaos Litmus allows attackers to bypass server-side security controls th
8402	CVE-2025-9638	0.04%	12th	4.8	This stored XSS vulnerability in Portabilis i-Educar allows attackers to inject malicious scripts vi
8403	CVE-2023-54343	0.04%	12th	6.4	QWE DL 2.0.1 mobile web application has a persistent cross-site scripting (XSS) vulnerability in pat
8404	CVE-2025-9901	0.04%	12.1th	5.9	A vulnerability in libsoup's SoupCache ignores the HTTP Vary header when evaluating cached responses
8405	CVE-2025-10543	0.04%	12.1th	5.3	This vulnerability in Eclipse Paho Go MQTT library allows UTF-8 strings longer than 65535 bytes to b
8406	CVE-2025-6860	0.04%	12th	6.3	This critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 allows
8407	CVE-2025-68915	0.04%	12th	5.5	This vulnerability allows cross-site scripting (XSS) attacks through the login banner functionality
8408	CVE-2025-62033	0.04%	11.9th	6.5	This CVE describes a missing authorization (broken access control) vulnerability in the uxper Togo W
8409	CVE-2025-6862	0.04%	12th	6.3	This critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 allows
8410	CVE-2025-9822	0.04%	12th	5.5	This vulnerability allows administrators in Mautic to modify application configuration and extract s
8411	CVE-2024-49294	0.04%	12th	4.3	This Cross-Site Request Forgery (CSRF) vulnerability in the MagePeople Team Bus Ticket Booking with
8412	CVE-2025-65238	0.04%	11.9th	6.5	This vulnerability allows attackers with low-level privileges in OpenCode Systems USSD Gateway to by
8413	CVE-2025-6333	0.04%	12th	6.3	This critical SQL injection vulnerability in PHPGurukul Directory Management System 2.0 allows remot
8414	CVE-2025-66139	0.04%	11.8th	5.4	This CVE describes a Missing Authorization vulnerability in the Audier For Elementor WordPress plugi
8415	CVE-2025-49618	0.04%	11.8th	5.8	This vulnerability in Plesk Obsidian allows unauthenticated attackers to access AWS credentials via
8416	CVE-2026-1734	0.04%	11.8th	5.3	This vulnerability allows unauthorized remote access to the crontab endpoint in Zhong Bang CRMEB ver
8417	CVE-2025-66141	0.04%	11.8th	5.4	This CVE describes a Missing Authorization vulnerability in the merkulove Scroller WordPress plugin
8418	CVE-2025-48096	0.04%	11.9th	6.5	This CVE describes a missing authorization vulnerability in the FRESHFACE Custom CSS WordPress plugi
8419	CVE-2025-66142	0.04%	11.8th	5.4	This CVE describes a Missing Authorization vulnerability in the Comparimager for Elementor WordPress
8420	CVE-2025-66143	0.04%	11.8th	5.4	This CVE describes a Missing Authorization vulnerability in the merkulove Crumber Elementor WordPres
8421	CVE-2025-69202	0.04%	11.9th	6.5	Axios Cache Interceptor versions before 1.11.1 incorrectly cache responses without considering Autho
8422	CVE-2025-37992	0.04%	11.8th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's network scheduler (net_sched) occurs
8423	CVE-2025-12621	0.04%	11.8th	5.3	This vulnerability in the Flexible Refund and Return Order for WooCommerce WordPress plugin allows a
8424	CVE-2025-49348	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Hype Hype pico WordPress plugin that
8425	CVE-2025-40700	0.04%	12.1th	6.1	This reflected XSS vulnerability in IDI Eikon's Governalia allows attackers to execute malicious Jav
8426	CVE-2026-1107	0.04%	12.1th	6.3	This vulnerability in EyouCMS allows attackers to perform unrestricted file uploads via manipulation
8427	CVE-2026-0676	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Zorka WordPress theme by G5Theme, al
8428	CVE-2025-60511	0.04%	11.8th	4.3	The Moodle OpenAI Chat Block plugin has an Insecure Direct Object Reference vulnerability that allow
8429	CVE-2025-6884	0.04%	12th	6.3	A critical SQL injection vulnerability exists in code-projects Staff Audit System 1.0 through the /s
8430	CVE-2025-41086	0.04%	11.9th	6.5	This vulnerability allows attackers to generate unlimited valid licenses for the GAMS licensing syst
8431	CVE-2025-54561	0.04%	11.8th	4.3	An incorrect access control vulnerability in Desktop Alert PingAlert's Application Server (versions
8432	CVE-2025-66939	0.04%	11.9th	5.4	This Cross-Site Scripting vulnerability in 66biolinks allows attackers to inject malicious scripts v
8433	CVE-2025-62085	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the BERTHA AI WordPress plugin that allo
8434	CVE-2025-15087	0.04%	11.8th	4.3	This vulnerability allows improper authorization in the submitOrderPayment function of youlai-mall,
8435	CVE-2025-7159	0.04%	12th	6.3	This critical SQL injection vulnerability in PHPGurukul Zoo Management System 2.1 allows attackers t
8436	CVE-2025-62100	0.04%	12th	5.3	This vulnerability allows attackers to bypass authorization controls in the ThemeRain Core WordPress
8437	CVE-2025-68436	0.04%	11.8th	6.5	This vulnerability allows authenticated users on Craft CMS installations to expose sensitive assets
8438	CVE-2025-12921	0.04%	12.1th	4.3	This XML injection vulnerability in OpenClinica Community Edition allows attackers to manipulate XML
8439	CVE-2023-38327	0.04%	12th	5.3	This CVE describes a user enumeration vulnerability in eGroupWare's calendar/freebusy.php endpoint.
8440	CVE-2025-7162	0.04%	12th	6.3	This critical SQL injection vulnerability in PHPGurukul Zoo Management System 2.1 allows remote atta
8441	CVE-2025-12512	0.04%	11.8th	4.3	The GenerateBlocks WordPress plugin up to version 2.1.2 has an information exposure vulnerability th
8442	CVE-2025-4127	0.04%	11.8th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
8443	CVE-2025-62138	0.04%	12th	5.3	This vulnerability allows attackers to bypass authorization checks in the WP Advanced PDF WordPress
8444	CVE-2025-3888	0.04%	11.8th	6.4	The Jupiter X Core WordPress plugin has a stored XSS vulnerability in SVG file handling that allows
8445	CVE-2025-13403	0.04%	12th	5.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to mo
8446	CVE-2025-62738	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Formstack Online Forms WordPress plu
8447	CVE-2025-49349	0.04%	12th	5.3	This CVE describes a missing authorization vulnerability in the Reuters Direct WordPress plugin that
8448	CVE-2026-1597	0.04%	12.1th	6.3	This vulnerability in Bdtask SalesERP allows attackers to bypass authorization controls by manipulat
8449	CVE-2025-14056	0.04%	12th	4.4	This stored XSS vulnerability in the Custom Post Type UI WordPress plugin allows authenticated admin
8450	CVE-2025-62081	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Channelize.Io Live Shopping & Shoppa

← Previous Page 169 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free