Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 8501 | CVE-2025-5588 |
|
11.9th | 6.4 | The Image Editor by Pixo WordPress plugin has a stored XSS vulnerability in the 'download' parameter | |
| 8502 | CVE-2026-21968 |
|
11.8th | 6.5 | This vulnerability in MySQL Server's optimizer component allows authenticated attackers with network | |
| 8503 | CVE-2025-10937 |
|
11.9th | 5.5 | This vulnerability in Oxford Nanopore's MinKNOW software allows local users to cause a denial-of-ser | |
| 8504 | CVE-2024-43181 |
|
11.9th | 6.3 | IBM Concert versions 1.0.0 through 2.1.0 fail to properly invalidate user sessions after logout, all | |
| 8505 | CVE-2025-61949 |
|
12th | 5.4 | LogStare Collector has a stored XSS vulnerability in its UserManagement feature where malicious user | |
| 8506 | CVE-2025-66371 |
|
11.8th | 5.0 | CVE-2025-66371 is an XML External Entity (XXE) vulnerability in peppol-py versions before 1.1.1. It | |
| 8507 | CVE-2025-4677 |
|
12th | 6.5 | CVE-2025-4677 is an insufficient session expiration vulnerability in ABB WebPro SNMP Card PowerValue | |
| 8508 | CVE-2025-68993 |
|
12th | 5.3 | This CVE describes a Missing Authorization vulnerability in the XforWooCommerce Share, Print and PDF | |
| 8509 | CVE-2025-0529 |
|
12th | 5.3 | A critical stack-based buffer overflow vulnerability exists in the Train Ticket Reservation System 1 | |
| 8510 | CVE-2025-58441 |
|
12th | 6.5 | Knowage versions before 8.1.37 have a blind server-side request forgery vulnerability that allows at | |
| 8511 | CVE-2025-63047 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the ListingPro WordPress theme that allo | |
| 8512 | CVE-2025-68994 |
|
12th | 5.3 | This CVE describes a Missing Authorization vulnerability in XforWooCommerce Product Loops for WooCom | |
| 8513 | CVE-2025-0926 |
|
11.9th | 5.9 | A non-admin user can delete critical system files by exploiting a file deletion redirection vulnerab | |
| 8514 | CVE-2025-63049 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the WordPress ListingPro Lead Form plugi | |
| 8515 | CVE-2025-54255 |
|
11.9th | 4.0 | This CVE describes a violation of secure design principles in Adobe Acrobat Reader that allows secur | |
| 8516 | CVE-2025-13975 |
|
12th | 4.4 | This stored XSS vulnerability in the Contact Form 7 with ChatWork WordPress plugin allows authentica | |
| 8517 | CVE-2025-68997 |
|
12.1th | 5.3 | This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the wpDiscuz WordPres | |
| 8518 | CVE-2025-63054 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the Quiz And Survey Master WordPress plu | |
| 8519 | CVE-2025-11378 |
|
11.8th | 5.4 | This vulnerability allows authenticated WordPress users with Contributor-level access or higher to e | |
| 8520 | CVE-2025-62747 |
|
12th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Aum Watcharapon Featured Image Gener | |
| 8521 | CVE-2025-69009 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the kamleshyadav Medicalequipment WordPr | |
| 8522 | CVE-2025-62755 |
|
12th | 5.3 | This vulnerability allows unauthenticated attackers to bypass access controls in the GS Portfolio fo | |
| 8523 | CVE-2025-69010 |
|
12th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Themebeez Toolkit WordPress plugin t | |
| 8524 | CVE-2025-40742 |
|
12th | 5.3 | This vulnerability in Siemens SIPROTEC 5 devices exposes session identifiers in URL requests, potent | |
| 8525 | CVE-2025-63069 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the Ivory Search WordPress plugin that a | |
| 8526 | CVE-2025-29983 |
|
12.1th | 6.7 | Dell Trusted Device versions before 7.0.3.0 contain a link following vulnerability that allows local | |
| 8527 | CVE-2025-63002 |
|
12.1th | 5.3 | A missing authorization vulnerability in wpforchurch Sermon Manager WordPress plugin allows attacker | |
| 8528 | CVE-2025-4218 |
|
12th | 5.3 | A critical code injection vulnerability exists in handrew browserpilot's GPTSeleniumAgent function w | |
| 8529 | CVE-2025-63043 |
|
12.1th | 5.3 | This vulnerability allows attackers to bypass authorization controls in the PickPlugins Post Grid an | |
| 8530 | CVE-2025-20658 |
|
12th | 6.0 | This CVE describes a permission bypass vulnerability in DA (likely a MediaTek component) that allows | |
| 8531 | CVE-2025-5841 |
|
11.9th | 6.4 | The ACF Onyx Poll WordPress plugin has a stored XSS vulnerability in versions up to 1.1.9. Authentic | |
| 8532 | CVE-2025-69028 |
|
12th | 5.3 | This CVE describes a Missing Authorization vulnerability in BoldGrid weForms WordPress plugin that a | |
| 8533 | CVE-2025-52454 |
|
12th | 5.3 | This SSRF vulnerability in Salesforce Tableau Server allows attackers to make the server send reques | |
| 8534 | CVE-2025-15118 |
|
11.8th | 4.3 | This vulnerability allows unauthorized modification of member address data in macrozheng mall versio | |
| 8535 | CVE-2025-12766 |
|
11.8th | 5.0 | An Insecure Direct Object Reference (IDOR) vulnerability in BlackBerry AtHoc Management Console vers | |
| 8536 | CVE-2025-69031 |
|
12th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Skywarrior Arcane WordPress theme th | |
| 8537 | CVE-2025-63226 |
|
11.8th | 5.7 | This vulnerability allows attackers on the same network as a logged-in user to hijack their session | |
| 8538 | CVE-2025-64632 |
|
12.1th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Auctollo Google XML Sitemaps WordPre | |
| 8539 | CVE-2025-20893 |
|
11.9th | 5.1 | An improper access control vulnerability in Samsung's NotificationManager allows local attackers to | |
| 8540 | CVE-2025-6346 |
|
12th | 6.3 | This vulnerability allows remote attackers to execute SQL injection attacks against the Advance Char | |
| 8541 | CVE-2025-13804 |
|
11.9th | 4.3 | This CVE describes an information disclosure vulnerability in nutzam NutzBoot's Ethereum Wallet Hand | |
| 8542 | CVE-2025-66508 |
|
12th | 6.5 | This vulnerability in 1Panel allows attackers to bypass IP-based access controls by spoofing the X-F | |
| 8543 | CVE-2025-64638 |
|
12.1th | 5.3 | This CVE describes a Missing Authorization vulnerability in the OnPay.io for WooCommerce plugin that | |
| 8544 | CVE-2025-69093 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the ShopMagic for WooCommerce WordPress | |
| 8545 | CVE-2025-64639 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the WP Compress for MainWP WordPress plu | |
| 8546 | CVE-2025-66120 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the CatFolders WordPress plugin that all | |
| 8547 | CVE-2025-66121 |
|
12th | 5.3 | This CVE describes a Missing Authorization vulnerability in SiteGround Security plugin for WordPress | |
| 8548 | CVE-2025-14039 |
|
12.1th | 6.4 | The Simple Folio WordPress plugin has a stored cross-site scripting vulnerability that allows authen | |
| 8549 | CVE-2026-21409 |
|
11.9th | 5.9 | An improper authorization vulnerability in RICOH Streamline NX allows man-in-the-middle attackers to | |
| 8550 | CVE-2025-66124 |
|
12.1th | 5.3 | This CVE describes a Missing Authorization vulnerability in the ZEEN101 Leaky Paywall WordPress plug |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free