Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8551	CVE-2025-64259	0.04%	11.9th	6.5	This CVE describes a missing authorization vulnerability in the Theater for WordPress plugin that al
8552	CVE-2025-6351	0.04%	12th	6.3	A critical SQL injection vulnerability exists in itsourcecode Employee Record Management System 1.0
8553	CVE-2025-64261	0.04%	11.9th	6.5	This CVE describes a Missing Authorization vulnerability in the Appointment Booking Calendar WordPre
8554	CVE-2025-10053	0.04%	11.8th	4.4	The TableGen WordPress plugin has a stored XSS vulnerability that allows authenticated administrator
8555	CVE-2025-13811	0.04%	12.1th	6.3	This CVE describes a SQL injection vulnerability in jsnjfz WebStack-Guns 1.0 that allows remote atta
8556	CVE-2025-12033	0.04%	11.9th	4.4	This stored XSS vulnerability in the Simple Banner WordPress plugin allows authenticated administrat
8557	CVE-2025-5923	0.04%	11.9th	6.4	The Game Review Block WordPress plugin has a stored XSS vulnerability in all versions up to 4.8.1. A
8558	CVE-2025-66128	0.04%	12.1th	5.3	This CVE describes a Missing Authorization vulnerability in the Brevo Sendinblue for WooCommerce plu
8559	CVE-2025-9835	0.04%	11.8th	4.3	This vulnerability allows attackers to bypass authorization checks in the cancelOrder function of ma
8560	CVE-2025-66129	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the WordPress Pochipp plugin that allows
8561	CVE-2025-61842	0.04%	11.9th	5.5	Format Plugins versions 1.1.1 and earlier contain a Use After Free vulnerability that could allow me
8562	CVE-2025-66130	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the WP Views Counter WordPress plugin th
8563	CVE-2021-47743	0.04%	11.9th	6.1	COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site script
8564	CVE-2025-6705	0.04%	11.8th	5.3	A vulnerability in Eclipse Open VSX Registry's automated publishing system allowed unauthorized uplo
8565	CVE-2025-37994	0.04%	11.8th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's UCSI DisplayPort driver could cause k
8566	CVE-2025-66133	0.04%	12.1th	5.3	This CVE describes a missing authorization vulnerability in the WP Cookie Notice for GDPR, CCPA & eP
8567	CVE-2025-11207	0.04%	12th	6.5	This vulnerability allows a remote attacker to perform arbitrary read/write operations through side-
8568	CVE-2025-12032	0.04%	11.9th	4.4	This stored XSS vulnerability in the Zweb Social Mobile WordPress plugin allows authenticated admini
8569	CVE-2025-62722	0.04%	12th	5.4	This is a Stored Cross-Site Scripting (XSS) vulnerability in LinkAce's social media sharing function
8570	CVE-2025-33119	0.04%	11.9th	6.5	IBM QRadar SIEM versions 7.5 through 7.5.0 UP14 store user credentials in configuration files that a
8571	CVE-2026-1389	0.04%	11.8th	5.3	This vulnerability allows authenticated WordPress users with Author-level permissions or higher to a
8572	CVE-2025-7944	0.04%	12th	4.3	This vulnerability allows attackers to inject malicious scripts into the Taxi Stand Management Syste
8573	CVE-2022-49540	0.04%	12th	4.7	This CVE describes a race condition in the Linux kernel's RCU Tasks Rude subsystem during early boot
8574	CVE-2025-69359	0.04%	12.1th	5.3	This CVE describes a missing authorization vulnerability in the WPFunnels Creator LMS WordPress plug
8575	CVE-2025-2598	0.04%	11.9th	5.5	The AWS CDK CLI prints AWS credentials to console output when used with credential plugins that retu
8576	CVE-2025-69364	0.04%	12.1th	5.3	This CVE describes a missing authorization vulnerability in the Cloudways Breeze WordPress plugin th
8577	CVE-2025-25799	0.04%	12.1th	6.0	SeaCMS 13.3 contains an arbitrary file read vulnerability in the admin_safe.php file that allows att
8578	CVE-2025-12016	0.04%	11.9th	4.4	The qnotsquiz WordPress plugin has a stored XSS vulnerability that allows authenticated administrato
8579	CVE-2025-67965	0.04%	12.1th	5.3	This CVE describes a missing authorization vulnerability in the favethemes Homey Core WordPress plug
8580	CVE-2025-13405	0.04%	11.8th	5.3	The Ace Post Type Builder WordPress plugin has an authorization vulnerability that allows authentica
8581	CVE-2025-8182	0.04%	12th	5.6	This vulnerability in Tenda AC18 routers allows attackers to exploit weak password requirements in t
8582	CVE-2026-24667	0.04%	11.9th	5.0	Open eClass platform versions before 4.2 fail to invalidate active user sessions after password chan
8583	CVE-2025-67985	0.04%	12th	5.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Barn2 Plugins Documen
8584	CVE-2024-7035	0.04%	11.9th	6.9	This CSRF vulnerability in open-webui/open-webui v0.3.8 allows attackers to trick authenticated user
8585	CVE-2025-12833	0.04%	11.8th	4.3	This vulnerability allows authenticated WordPress users with author-level permissions or higher to a
8586	CVE-2025-12841	0.04%	12th	5.3	The Bookit WordPress plugin before version 2.5.1 has an unauthenticated REST API endpoint that allow
8587	CVE-2025-9333	0.04%	11.8th	5.5	The Smart Docs WordPress plugin is vulnerable to stored cross-site scripting (XSS) in admin settings
8588	CVE-2024-30154	0.04%	12th	5.3	HCL SX has a cross-site request forgery (CSRF) vulnerability that allows attackers to trick authenti
8589	CVE-2025-15170	0.04%	11.9th	4.3	This vulnerability allows attackers to inject malicious scripts into Advaya Softech GEMS ERP Portal
8590	CVE-2025-59402	0.04%	11.8th	5.4	This vulnerability allows attackers with physical access to Flock Safety Bravo Edge AI Compute devic
8591	CVE-2025-52628	0.04%	12.1th	4.6	HCL AION versions 2.0 have a SameSite cookie vulnerability that allows cookies to be sent in cross-s
8592	CVE-2025-67906	0.04%	12th	5.4	This vulnerability allows cross-site scripting (XSS) attacks in MISP's workflow execution path. Atta
8593	CVE-2025-9399	0.04%	12th	6.3	This vulnerability allows remote attackers to execute SQL injection attacks against YiFang CMS versi
8594	CVE-2025-48139	0.04%	12th	6.5	This CVE describes a Missing Authorization vulnerability in the StyleAI WordPress plugin that allows
8595	CVE-2025-11373	0.04%	11.8th	4.3	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to u
8596	CVE-2025-1250	0.04%	12th	6.5	This vulnerability allows authenticated GitLab users to disrupt background job processing by submitt
8597	CVE-2025-12527	0.04%	11.8th	4.3	The Page & Post Notes WordPress plugin has a missing capability check vulnerability that allows auth
8598	CVE-2025-25010	0.04%	12th	6.5	This CVE describes an incorrect authorization vulnerability in Kibana where the built-in reporting_u
8599	CVE-2025-6083	0.04%	11.8th	4.3	A syntax error in ExtremeCloud Universal ZTNA's 'searchKeyword' condition allows users to bypass the
8600	CVE-2024-12429	0.04%	11.8th	4.3	An authenticated attacker can exploit this vulnerability in AC500 V3 products to read system-wide fi

← Previous Page 172 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free