Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8601	CVE-2026-0548	0.04%	11.8th	5.4	This vulnerability allows authenticated WordPress users with subscriber-level access or higher to de
8602	CVE-2025-3908	0.04%	12.1th	6.2	This vulnerability allows a local attacker on Linux systems to create symbolic links that trick Open
8603	CVE-2024-56342	0.04%	12th	4.3	IBM Verify Identity Access Digital Credentials 24.06 returns detailed technical error messages to br
8604	CVE-2025-37138	0.04%	12.1th	6.2	An authenticated command injection vulnerability in AOS-10 GW and AOS-8 Controllers/Mobility Conduct
8605	CVE-2025-57758	0.04%	12.1th	4.3	This vulnerability allows authenticated back-end users in Contao CMS to access modules they shouldn'
8606	CVE-2025-10997	0.04%	11.6th	5.3	A heap-based buffer overflow vulnerability exists in Open Babel versions up to 3.1.1, specifically i
8607	CVE-2025-34257	0.04%	11.5th	5.4	This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to in
8608	CVE-2025-67555	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in UseStrict's Calendly Embedder WordPress plug
8609	CVE-2025-34258	0.04%	11.5th	5.4	This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to in
8610	CVE-2025-34259	0.04%	11.5th	5.4	This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to in
8611	CVE-2025-67557	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WP eBay Product Feeds WordPress plugin a
8612	CVE-2025-34260	0.04%	11.5th	5.4	Advantech WISE-DeviceOn Server versions before 5.4 contain a stored cross-site scripting vulnerabili
8613	CVE-2025-67558	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Rencontre WordPress plugin allows attack
8614	CVE-2025-12517	0.04%	11.4th	5.3	This vulnerability involves a mismatch between the credits page and actual firmware versions in BLU-
8615	CVE-2025-34261	0.04%	11.5th	5.4	This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to in
8616	CVE-2025-34262	0.04%	11.5th	5.4	This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to in
8617	CVE-2025-5733	0.04%	11.3th	5.3	The Modern Events Calendar Lite WordPress plugin versions up to 7.21.9 expose full web server path i
8618	CVE-2025-34263	0.04%	11.5th	5.4	Advantech WISE-DeviceOn Server versions before 5.4 contain a stored cross-site scripting vulnerabili
8619	CVE-2025-34264	0.04%	11.5th	5.4	Advantech WISE-DeviceOn Server versions before 5.4 contain a stored cross-site scripting vulnerabili
8620	CVE-2025-34265	0.04%	11.5th	5.4	This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to in
8621	CVE-2024-51446	0.04%	11.8th	6.5	This vulnerability allows authenticated remote attackers to upload malicious XML files containing st
8622	CVE-2025-34266	0.04%	11.5th	5.4	This is an authenticated stored cross-site scripting (XSS) vulnerability in Advantech WISE-DeviceOn
8623	CVE-2025-67564	0.04%	11.6th	5.3	This vulnerability in Pixel Manager for WooCommerce exposes sensitive system information to unauthor
8624	CVE-2025-15112	0.04%	11.6th	5.4	This vulnerability in Ksenia Security Lares 4.0 version 1.6 allows attackers to craft malicious link
8625	CVE-2025-66258	0.04%	11.3th	5.4	This vulnerability allows attackers to inject malicious JavaScript into the Mozart FM Transmitter's
8626	CVE-2025-67078	0.04%	11.6th	6.1	A cross-site scripting (XSS) vulnerability in Omnispace Agora Project allows attackers to inject mal
8627	CVE-2025-65622	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in Snipe-IT allows authenticated users with low
8628	CVE-2025-67565	0.04%	11.6th	5.3	This vulnerability in the Rehub WordPress theme allows unauthorized users to retrieve embedded sensi
8629	CVE-2025-66260	0.04%	11.3th	6.5	This SQL injection vulnerability in DB Electronica Telecomunicazioni's Mozart FM Transmitter allows
8630	CVE-2025-67567	0.04%	11.6th	5.3	This vulnerability in the Sober WordPress theme allows unauthorized users to retrieve embedded sensi
8631	CVE-2026-25806	0.04%	11.5th	6.5	This CVE describes a missing authorization vulnerability in PlaciPy placement management system. Aut
8632	CVE-2025-63442	0.04%	11.6th	4.6	Simple User Management System with PHP-MySQL v1.0 has a stored XSS vulnerability in the Profile Sect
8633	CVE-2025-21528	0.04%	11.5th	4.3	This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Oracle Primavera P6 Enterpri
8634	CVE-2025-61907	0.04%	11.7th	6.5	This vulnerability allows authenticated API users in Icinga 2 to bypass permission restrictions and
8635	CVE-2025-9532	0.04%	11.6th	6.3	CVE-2025-9532 is a SQL injection vulnerability in Portabilis i-Educar educational software that allo
8636	CVE-2025-64748	0.04%	11.7th	6.5	This vulnerability in Directus allows authenticated users with read permissions to detect matches in
8637	CVE-2026-23643	0.04%	11.7th	5.4	CVE-2026-23643 is a cross-site scripting (XSS) vulnerability in CakePHP's PaginatorHelper::limitCont
8638	CVE-2024-46335	0.04%	11.6th	4.6	PHPGurukul Complaint Management System 2.0 contains a cross-site scripting (XSS) vulnerability in th
8639	CVE-2025-66025	0.04%	11.8th	4.3	This vulnerability allows attackers to inject malicious links into Caido's Markdown renderer on the
8640	CVE-2025-14819	0.04%	11.6th	5.3	A TLS certificate validation vulnerability in libcurl where reusing easy or multi handles with alter
8641	CVE-2025-12782	0.04%	11.7th	4.3	The Beaver Builder WordPress plugin has an authorization bypass vulnerability that allows authentica
8642	CVE-2025-41384	0.04%	11.8th	6.1	This reflected XSS vulnerability in SuiteCRM v7.14.1 allows attackers to execute arbitrary JavaScrip
8643	CVE-2025-64746	0.04%	11.5th	4.6	A permission inheritance vulnerability in Directus allows stale field-level permissions to persist a
8644	CVE-2025-66803	0.04%	11.5th	4.8	A race condition in Hotwired Turbo's turbo-frame element handler allows logout operations to fail wh
8645	CVE-2026-24324	0.04%	11.7th	6.5	This vulnerability allows authenticated users with standard privileges in SAP BusinessObjects Busine
8646	CVE-2025-69749	0.04%	11.6th	6.1	A Cross-Site Scripting (XSS) vulnerability in tale v.2.0.5 allows attackers to inject malicious scri
8647	CVE-2025-12283	0.04%	11.4th	4.3	CVE-2025-12283 is an authorization bypass vulnerability in code-projects Client Details System 1.0 t
8648	CVE-2025-36299	0.04%	11.4th	4.3	IBM Planning Analytics Local versions 2.1.0 through 2.1.14 store sensitive information in source cod
8649	CVE-2025-57244	0.04%	11.6th	5.4	OpenKM Community Edition 6.3.12 has a stored cross-site scripting (XSS) vulnerability in the user ac
8650	CVE-2025-11663	0.04%	11.7th	4.7	This SQL injection vulnerability in Campcodes Online Beauty Parlor Management System 1.0 allows atta

← Previous Page 173 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free