Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 8751 | CVE-2025-24606 |
|
31.6th | 6.4 | This CVE describes a missing authorization vulnerability in the Sprout Invoices WordPress plugin tha | |
| 8752 | CVE-2025-23849 |
|
31.6th | 5.4 | CVE-2025-23849 is a missing authorization vulnerability in the PAPERCITE WordPress plugin that allow | |
| 8753 | CVE-2025-24571 |
|
31.6th | 5.4 | This CVE describes a missing authorization vulnerability in the WP Fast Total Search WordPress plugi | |
| 8754 | CVE-2023-37777 |
|
31.6th | 9.8 | A critical SQL injection vulnerability in Synnefo Internet Management Software (IMS) allows attacker | |
| 8755 | CVE-2024-13176 |
|
31.7th | 4.1 | A timing side-channel vulnerability in ECDSA signature computations could allow an attacker to recov | |
| 8756 | CVE-2025-23916 |
|
31.6th | 5.4 | This CVE describes a Missing Authorization vulnerability in the WP Meetup WordPress plugin that allo | |
| 8757 | CVE-2025-22541 |
|
31.6th | 5.4 | This CVE describes a Missing Authorization vulnerability in the WP Delete Post Copies WordPress plug | |
| 8758 | CVE-2025-22534 |
|
31.6th | 5.4 | This CVE describes a missing authorization vulnerability in the Ella van Durpe Slides & Presentation | |
| 8759 | CVE-2024-9138 |
|
31.7th | 7.2 | CVE-2024-9138 is a privilege escalation vulnerability in Moxa cellular routers, secure routers, and | |
| 8760 | CVE-2024-56253 |
|
31.6th | 5.4 | This CVE describes a Missing Authorization vulnerability in the Data Tables Generator by Supsystic W | |
| 8761 | CVE-2024-56069 |
|
31.7th | 7.1 | This vulnerability allows attackers to inject malicious scripts into WP SuperBackup WordPress plugin | |
| 8762 | CVE-2024-56060 |
|
31.7th | 7.1 | This vulnerability allows attackers to inject malicious scripts into HTML Forms plugin pages, which | |
| 8763 | CVE-2024-56037 |
|
31.7th | 7.1 | This reflected cross-site scripting (XSS) vulnerability in the User Referral WordPress plugin allows | |
| 8764 | CVE-2025-1751 |
|
31.7th | 9.8 | A SQL injection vulnerability in Ciges 2.15.5 allows attackers to manipulate database operations thr | |
| 8765 | CVE-2025-26995 |
|
31.6th | 5.4 | CVE-2025-26995 is a missing authorization vulnerability in the Market Exporter WordPress plugin that | |
| 8766 | CVE-2025-27356 |
|
31.6th | 5.4 | This CVE describes a missing authorization vulnerability in the WordPress Sticky Header On Scroll pl | |
| 8767 | CVE-2026-1988 |
|
31.6th | 7.5 | This vulnerability allows authenticated WordPress users with Contributor-level access or higher to p | |
| 8768 | CVE-2025-25110 |
|
31.6th | 5.4 | This CVE describes a missing authorization vulnerability in the Metagauss Event Kikfyre WordPress pl | |
| 8769 | CVE-2025-22696 |
|
31.6th | 5.4 | This CVE describes a missing authorization vulnerability in the WordPress EmbedPress Document Block | |
| 8770 | CVE-2025-1558 |
|
31.7th | 6.5 | Mattermost Mobile Apps versions up to 2.25.0 contain a GIF validation vulnerability that allows atta | |
| 8771 | CVE-2024-12376 |
|
31.6th | 7.5 | A Server-Side Request Forgery (SSRF) vulnerability in lm-sys/fastchat web server allows attackers to | |
| 8772 | CVE-2025-1057 |
|
31.7th | 4.3 | A type compatibility issue in Keylime versions 7.12.0 prevents the registrar from reading agent regi | |
| 8773 | CVE-2025-28938 |
|
31.6th | 4.3 | This CVE describes a missing authorization vulnerability in the WP Performance Pack WordPress plugin | |
| 8774 | CVE-2025-24521 |
|
31.6th | 4.9 | This CVE describes an XML External Entity (XXE) injection vulnerability that allows attackers to rea | |
| 8775 | CVE-2025-1306 |
|
31.7th | 8.8 | This CSRF vulnerability in the Newscrunch WordPress theme allows unauthenticated attackers to upload | |
| 8776 | CVE-2025-46417 |
|
31.6th | 7.5 | This vulnerability in Picklescan versions before 0.0.25 allows data exfiltration via DNS requests af | |
| 8777 | CVE-2025-1704 |
|
31.7th | 6.5 | This vulnerability in ChromeOS ComponentInstaller allows enrolled users with physical access to unen | |
| 8778 | CVE-2025-1275 |
|
31.6th | 7.8 | A heap-based buffer overflow vulnerability in Autodesk applications allows attackers to execute arbi | |
| 8779 | CVE-2025-3276 |
|
31.6th | 6.4 | This stored XSS vulnerability in the SKT Blocks WordPress plugin allows authenticated attackers with | |
| 8780 | CVE-2024-9416 |
|
31.6th | 6.4 | The Modula Image Gallery WordPress plugin (versions ≤5.0.36) contains a stored cross-site scriptin | |
| 8781 | CVE-2025-3943 |
|
31.7th | 4.1 | This vulnerability in Tridium Niagara Framework and Enterprise Security allows attackers to inject p | |
| 8782 | CVE-2025-6916 |
|
31.6th | 8.8 | This critical vulnerability in TOTOLINK T6 routers allows attackers to bypass authentication on the | |
| 8783 | CVE-2023-28911 |
|
31.7th | 6.5 | This vulnerability in the Bluetooth stack of MIB3 infotainment systems allows attackers to disconnec | |
| 8784 | CVE-2024-57189 |
|
31.6th | 5.4 | This vulnerability allows authenticated attackers to write arbitrary files on the system via path tr | |
| 8785 | CVE-2025-50494 |
|
31.7th | 7.5 | This vulnerability allows attackers to hijack user sessions in PHPGurukul Car Washing Management Sys | |
| 8786 | CVE-2025-54379 |
|
31.6th | 9.8 | CVE-2025-54379 is a critical SQL injection vulnerability in LF Edge eKuiper's getLast API that allow | |
| 8787 | CVE-2025-53508 |
|
31.6th | 7.2 | This CVE describes an OS command injection vulnerability in multiple products from iND Co.,Ltd. Atta | |
| 8788 | CVE-2025-55195 |
|
31.6th | 7.3 | This CVE describes a prototype pollution vulnerability in the @std/toml Deno Standard Library. Attac | |
| 8789 | CVE-2025-59954 |
|
31.6th | 9.8 | This vulnerability allows remote attackers to execute arbitrary code on Knowage servers by exploitin | |
| 8790 | CVE-2025-10858 |
|
31.6th | 7.5 | This vulnerability allows unauthenticated attackers to cause a Denial of Service (DoS) condition in | |
| 8791 | CVE-2025-10501 |
|
31.7th | 8.8 | A use-after-free vulnerability in WebRTC in Google Chrome allows remote attackers to potentially exp | |
| 8792 | CVE-2025-59041 |
|
31.6th | 9.8 | CVE-2025-59041 is a critical remote code execution vulnerability in Claude Code where malicious git | |
| 8793 | CVE-2025-10916 |
|
31.6th | 9.1 | The FormGent WordPress plugin before version 1.0.4 contains an arbitrary file deletion vulnerability | |
| 8794 | CVE-2025-58132 |
|
31.6th | 4.1 | This CVE describes a command injection vulnerability in Zoom Clients for Windows that allows authent | |
| 8795 | CVE-2025-59454 |
|
31.7th | 4.3 | This CVE describes an information disclosure vulnerability in Apache CloudStack where authorized use | |
| 8796 | CVE-2025-65495 |
|
31.7th | 7.5 | A signedness error in libcoap's TLS certificate verification allows remote attackers to cause denial | |
| 8797 | CVE-2025-37161 |
|
31.6th | 7.5 | An unauthenticated remote denial-of-service vulnerability in HPE web management interfaces allows at | |
| 8798 | CVE-2025-13165 |
|
31.6th | 7.5 | EasyFlow GP developed by Digiwin has an unauthenticated remote denial-of-service vulnerability. Atta | |
| 8799 | CVE-2025-14546 |
|
31.6th | 6.3 | This CSRF vulnerability in fastapi-sso allows attackers to link their OAuth accounts to victims' int | |
| 8800 | CVE-2025-67845 |
|
31.6th | 6.4 | A directory traversal vulnerability in Mintlify Platform's static asset proxy endpoint allows attack |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free