Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8651	CVE-2025-62798	0.04%	11.5th	5.4	This Cross-Site Scripting (XSS) vulnerability in the Sharp Laravel package allows attackers to injec
8652	CVE-2025-14548	0.04%	11.5th	6.4	The Calendar plugin for WordPress versions up to 1.3.16 contains a stored cross-site scripting vulne
8653	CVE-2025-42987	0.04%	11.8th	4.3	This vulnerability allows authenticated attackers with basic privileges to edit shared processing ru
8654	CVE-2025-14635	0.04%	11.5th	6.4	The Happy Addons for Elementor WordPress plugin has a stored XSS vulnerability in the 'ha_page_custo
8655	CVE-2025-14506	0.04%	11.5th	6.4	The ConvertForce Popup Builder WordPress plugin has a stored XSS vulnerability in its Gutenberg bloc
8656	CVE-2025-68868	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Wp Text Slider Widget plugin a
8657	CVE-2025-4437	0.04%	11.6th	5.7	This CVE describes a denial-of-service vulnerability in CRI-O where launching a container with a non
8658	CVE-2026-1356	0.04%	11.4th	4.8	This Server-Side Request Forgery (SSRF) vulnerability in the Converter for Media WordPress plugin al
8659	CVE-2025-42991	0.04%	11.8th	4.3	SAP S/4HANA Bank Account Application has an authorization vulnerability where authenticated 'approve
8660	CVE-2025-14259	0.04%	11.6th	6.3	This vulnerability allows remote attackers to execute SQL injection attacks against Jihai Jshop Mini
8661	CVE-2025-68548	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Responsive Posts Carousel Pro WordPress
8662	CVE-2025-51651	0.04%	11.5th	5.5	An authenticated arbitrary file download vulnerability in Mccms v2.7.0 allows attackers with admin a
8663	CVE-2025-68551	0.04%	11.7th	6.5	This vulnerability in the Vikas Ratudi VPSUForm WordPress plugin allows unauthorized attackers to re
8664	CVE-2025-68559	0.04%	11.5th	6.5	This is a cross-site scripting (XSS) vulnerability in TheGem Theme Elements for Elementor WordPress
8665	CVE-2025-14802	0.04%	11.6th	5.4	This vulnerability in the LearnPress WordPress plugin allows authenticated attackers with teacher-le
8666	CVE-2025-12574	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to de
8667	CVE-2025-12577	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to mo
8668	CVE-2025-10612	0.04%	11.8th	6.1	This is a reflected cross-site scripting (XSS) vulnerability in giSoft Information Technologies City
8669	CVE-2024-54030	0.04%	11.6th	4.4	This CVE describes a use-after-free vulnerability in OpenHarmony v4.1.2 and earlier versions that al
8670	CVE-2025-65229	0.04%	11.6th	4.6	A stored XSS vulnerability in Lyrion Music Server allows authenticated users to inject malicious scr
8671	CVE-2026-0739	0.04%	11.7th	4.4	The WMF Mobile Redirector WordPress plugin versions up to 1.2 contain a stored cross-site scripting
8672	CVE-2025-31029	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the WordPress replyMail plugin allows attack
8673	CVE-2026-0741	0.04%	11.7th	4.4	The Electric Studio Download Counter WordPress plugin has a stored XSS vulnerability in all versions
8674	CVE-2025-43252	0.04%	11.3th	6.5	This macOS vulnerability allows malicious websites to access sensitive user data by exploiting symli
8675	CVE-2025-60797	0.04%	11.3th	6.5	phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in the data export functionalit
8676	CVE-2025-12494	0.04%	11.5th	4.3	The Image Gallery plugin for WordPress has a vulnerability that allows authenticated attackers with
8677	CVE-2025-61431	0.04%	11.8th	6.1	A reflected cross-site scripting (XSS) vulnerability in Zucchetti ZMaintenance Infinity and Infinity
8678	CVE-2025-11255	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to di
8679	CVE-2025-33111	0.04%	11.4th	4.3	This vulnerability in IBM Controller and Cognos Controller allows authenticated attackers to potenti
8680	CVE-2025-62136	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Melos WordPress theme allows attackers t
8681	CVE-2025-53674	0.04%	11.5th	5.3	The Jenkins Sensedia Api Platform tools Plugin 1.0 fails to mask the Sensedia API Manager integratio
8682	CVE-2025-32873	0.04%	11.5th	5.3	This vulnerability in Django's strip_tags() function and striptags template filter allows attackers
8683	CVE-2025-62137	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Shuttle WordPress theme allows attackers
8684	CVE-2025-64984	0.04%	11.8th	6.1	This vulnerability allows reflected cross-site scripting (XSS) attacks in Kaspersky security product
8685	CVE-2025-14185	0.04%	11.6th	6.3	This CVE describes a SQL injection vulnerability in Yonyou U8 Cloud enterprise software. Attackers c
8686	CVE-2025-62146	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the MX Time Zone Clocks WordPress plugin all
8687	CVE-2025-62758	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in Funnelforms Free WordPress plugin allows
8688	CVE-2025-62759	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Series plugin allows attackers
8689	CVE-2025-62760	0.04%	11.5th	6.5	This stored XSS vulnerability in the BuddyPress Activity Shortcode WordPress plugin allows attackers
8690	CVE-2025-62761	0.04%	11.5th	6.5	This stored XSS vulnerability in the BasePress WordPress plugin allows attackers to inject malicious
8691	CVE-2025-12167	0.04%	11.7th	4.3	The Contact Form 7 AWeber Extension plugin for WordPress has an authorization vulnerability that all
8692	CVE-2025-63000	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Sermon Manager WordPress plugin allows a
8693	CVE-2025-60932	0.04%	11.8th	6.1	Multiple stored XSS vulnerabilities in HR Performance Solutions Performance Pro allow attackers to i
8694	CVE-2025-40929	0.04%	11.6th	5.6	CVE-2025-40929 is an integer buffer overflow vulnerability in Cpanel::JSON::XS Perl module versions
8695	CVE-2025-63005	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Tooltips plugin allows attacke
8696	CVE-2025-60933	0.04%	11.8th	6.1	This CVE describes stored XSS vulnerabilities in HR Performance Solutions Performance Pro v3.19.17 t
8697	CVE-2025-68867	0.04%	11.5th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in the Effect Maker WordPress plugin allows
8698	CVE-2025-60934	0.04%	11.8th	6.1	Multiple stored XSS vulnerabilities in HR Performance Solutions Performance Pro v3.19.17 allow attac
8699	CVE-2025-49358	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the Content Fetcher WordPress plugin allo
8700	CVE-2025-62135	0.04%	11.5th	6.5	This DOM-based XSS vulnerability in the Responsive Block Control WordPress plugin allows attackers t

← Previous Page 174 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free