Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Flags	Summary
801	CVE-2025-39554	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in the RelyWP AI Text to Speech WordPress p
802	CVE-2025-24581	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in the Themefic Instantio WordPress plugin
803	CVE-2025-23958	0.3%	52.7th	6.5		This CVE describes a missing authorization vulnerability in the FADI MED Editor Wysiwyg Background C
804	CVE-2025-23773	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in the WordPress 'Delete All Posts' plugin
805	CVE-2025-32243	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in the WordPress Internal Link Optimiser pl
806	CVE-2025-32240	0.3%	52.7th	6.5		This CVE describes a missing authorization vulnerability in the WordPress Site Notify plugin that al
807	CVE-2025-3430	0.3%	52.8th	4.9		The 3DPrint Lite WordPress plugin contains an SQL injection vulnerability in the 'printer_text' para
808	CVE-2025-3428	0.3%	52.8th	4.9		The 3DPrint Lite WordPress plugin contains an SQL injection vulnerability in the 'coating_text' para
809	CVE-2025-31381	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in the Shiptrack Booking Calendar and Notif
810	CVE-2025-22285	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in Eniture Technology's Pallet Packaging fo
811	CVE-2025-31858	0.3%	52.7th	6.5		CVE-2025-31858 is a missing authorization vulnerability in the Local Magic WordPress plugin that all
812	CVE-2025-31768	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in the OTWthemes Widget Manager Light WordP
813	CVE-2025-31736	0.3%	52.7th	6.5		CVE-2025-31736 is a missing authorization vulnerability in the richtexteditor WordPress plugin that
814	CVE-2025-30916	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in the Residential Address Detection WordPr
815	CVE-2024-12410	0.3%	52.8th	4.9		This SQL injection vulnerability in the Front End Users WordPress plugin allows unauthenticated atta
816	CVE-2025-31780	0.3%	52.7th	6.5		This CVE describes a Missing Authorization vulnerability in the WordPress Append Content plugin that
817	CVE-2025-4432	0.3%	52.7th	5.3		A vulnerability in Rust's Ring cryptography library allows attackers to trigger a panic (crash) by s
818	CVE-2025-1285	0.3%	52.7th	5.3		This vulnerability in the Resido WordPress theme allows unauthenticated attackers to delete or save
819	CVE-2024-12375	0.3%	52.5th	6.5		A local file inclusion vulnerability in automatic1111/stable-diffusion-webui allows attackers to rea
820	CVE-2025-3523	0.3%	52.5th	6.4		This vulnerability in Thunderbird email client causes misleading hover text when emails contain mult
821	CVE-2024-50562	0.3%	52.5th	4.8		This vulnerability allows attackers who have obtained SSL-VPN session cookies to reuse them even aft
822	CVE-2025-40602	0.3%	52.4th	6.6	KEV	This CVE describes a local privilege escalation vulnerability in SonicWall SMA1000 appliances where
823	CVE-2024-13117	0.3%	52.4th	6.5		The Social Share Buttons for WordPress plugin through version 2.7 contains an unauthenticated file u
824	CVE-2025-11141	0.3%	52.4th	4.7		This CVE describes an OS command injection vulnerability in Ruijie NBR2100G-E routers. Attackers can
825	CVE-2025-10060	0.3%	52.4th	6.5		MongoDB Server may allow upsert operations retried within a transaction to violate unique index cons
826	CVE-2025-22385	0.29%	52.3th	5.9		Optimizely Configured Commerce versions before 5.2.2408 allow mass account creation without email co
827	CVE-2025-13087	0.29%	52.3th	6.2		This vulnerability allows remote attackers with administrative access to execute arbitrary commands
828	CVE-2024-12104	0.29%	52.2th	5.3		The Atarim WordPress plugin has a vulnerability that allows unauthenticated attackers to delete proj
829	CVE-2025-3563	0.29%	52.2th	4.7		This critical vulnerability in WuzhiCMS 4.1 allows remote attackers to execute arbitrary code throug
830	CVE-2025-13810	0.29%	52.2th	5.3		A path traversal vulnerability in jsnjfz WebStack-Guns 1.0 allows remote attackers to read arbitrary
831	CVE-2025-11490	0.29%	52.2th	6.3		This CVE describes an OS command injection vulnerability in DesktopCommanderMCP up to version 0.2.13
832	CVE-2022-31749	0.29%	52th	6.5		CVE-2022-31749 is an argument injection vulnerability in WatchGuard Fireware OS that allows authenti
833	CVE-2025-9787	0.29%	52th	6.1		ManageEngine Applications Manager versions 177400 and below contain a stored cross-site scripting vu
834	CVE-2025-0613	0.29%	52th	6.1		The Photo Gallery by 10Web WordPress plugin before version 1.8.34 contains a stored cross-site scrip
835	CVE-2025-69255	0.29%	51.9th	4.0		A malformed gRPC GetMetrics request can cause RustFS to panic and crash the handler thread, enabling
836	CVE-2024-13920	0.29%	51.8th	4.9		This vulnerability allows authenticated WordPress administrators to perform directory traversal atta
837	CVE-2025-3564	0.29%	51.8th	4.3		This vulnerability allows unauthorized access to the Teacher String Handler component in huanfenz/co
838	CVE-2026-25475	0.29%	51.8th	6.5		OpenClaw versions before 2026.1.30 contain a path traversal vulnerability in the isValidMedia() func
839	CVE-2024-13361	0.29%	51.7th	6.3		The AI Power WordPress plugin has an authorization vulnerability that allows authenticated users wit
840	CVE-2024-45424	0.29%	51.7th	5.3		A business logic error in certain Zoom Workplace applications allows unauthenticated attackers to ac
841	CVE-2025-24967	0.29%	51.7th	5.4		A stored cross-site scripting (XSS) vulnerability in reNgine's admin panel allows attackers to injec
842	CVE-2025-9950	0.29%	51.7th	4.9		The Error Log Viewer WordPress plugin contains a directory traversal vulnerability that allows authe
843	CVE-2024-13367	0.29%	51.6th	6.5		The Sandbox WordPress plugin allows authenticated attackers with Subscriber-level access or higher t
844	CVE-2023-27539	0.29%	51.6th	5.3		CVE-2023-27539 is a denial-of-service vulnerability in Rack's header parsing component that allows a
845	CVE-2024-6839	0.29%	51.6th	5.3		CVE-2024-6839 is an improper regex path matching vulnerability in flask-cors 4.0.1 that causes longe
846	CVE-2024-8682	0.29%	51.6th	5.3		This vulnerability allows unauthenticated attackers to register user accounts on WordPress sites usi
847	CVE-2025-3536	0.29%	51.6th	6.5		This vulnerability allows attackers to bypass authorization controls in Tutorials-Website Employee M
848	CVE-2026-24888	0.29%	51.6th	6.5		Maker.js versions up to 0.19.1 contain a prototype pollution vulnerability in the extendObject funct
849	CVE-2025-21310	0.29%	51.5th	6.6		This Windows Digital Media vulnerability allows attackers to gain elevated privileges on affected sy
850	CVE-2025-21260	0.29%	51.5th	6.6		This Windows Digital Media vulnerability allows attackers to gain elevated privileges on affected sy

← Previous Page 17 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free