Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8801	CVE-2025-68388	0.12%	31.7th	5.3	This vulnerability in Packetbeat allows unauthenticated remote attackers to send malicious IPv4 frag
8802	CVE-2025-9207	0.12%	31.6th	5.3	The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML injection, allowing unauthent
8803	CVE-2025-13214	0.12%	31.6th	7.6	CVE-2025-13214 is a SQL injection vulnerability in IBM Aspera Orchestrator that allows remote attack
8804	CVE-2025-9014	0.12%	31.6th	7.5	A remote, unauthenticated attacker can exploit a null pointer dereference vulnerability in the TP-Li
8805	CVE-2026-22699	0.12%	31.6th	7.5	This vulnerability in RustCrypto's elliptic-curves library allows attackers to cause denial-of-servi
8806	CVE-2025-69425	0.12%	31.6th	N/A	This vulnerability allows attackers to execute arbitrary operating system commands with root privile
8807	CVE-2025-52872	0.12%	31.7th	8.1	A buffer overflow vulnerability in QNAP operating systems allows authenticated remote attackers to m
8808	CVE-2025-52864	0.12%	31.7th	8.1	A buffer overflow vulnerability in QNAP operating systems allows authenticated remote attackers to m
8809	CVE-2025-52863	0.12%	31.7th	8.1	A buffer overflow vulnerability in QNAP operating systems allows authenticated remote attackers to m
8810	CVE-2025-13379	0.12%	31.7th	8.6	CVE-2025-13379 is a SQL injection vulnerability in IBM Aspera Console versions 3.4.0 through 3.4.8 t
8811	CVE-2026-0617	0.12%	31.6th	7.2	This stored XSS vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to
8812	CVE-2025-24733	0.12%	31.5th	6.5	This CVE describes a PHP Local File Inclusion vulnerability in the Post Grid Master WordPress plugin
8813	CVE-2025-24672	0.12%	31.6th	8.5	This SQL injection vulnerability in the Form Builder CP WordPress plugin allows attackers to execute
8814	CVE-2025-24669	0.12%	31.6th	8.5	This SQL injection vulnerability in the SERPed.net WordPress plugin allows attackers to execute arbi
8815	CVE-2025-23910	0.12%	31.6th	8.5	This SQL injection vulnerability in the WordPress Menus Plus+ plugin allows attackers to execute arb
8816	CVE-2025-23913	0.12%	31.6th	8.5	This SQL injection vulnerability in the WordPress Google Map Professional plugin allows attackers to
8817	CVE-2025-23912	0.12%	31.6th	8.5	This SQL injection vulnerability in the WordPress Custom Sidebar plugin allows attackers to execute
8818	CVE-2025-22799	0.12%	31.6th	8.5	This SQL injection vulnerability in Vertim Coders Neon Product Designer for WooCommerce allows attac
8819	CVE-2025-21278	0.12%	31.5th	6.2	This vulnerability in Windows Remote Desktop Gateway allows attackers to cause a denial of service b
8820	CVE-2024-13171	0.12%	31.5th	7.8	This vulnerability allows remote unauthenticated attackers to execute arbitrary code on Ivanti Endpo
8821	CVE-2024-13247	0.12%	31.6th	4.8	This vulnerability allows attackers to inject malicious scripts into web pages generated by Drupal C
8822	CVE-2025-22537	0.12%	31.6th	8.5	This SQL injection vulnerability in the Google Maps Travel Route WordPress plugin allows attackers t
8823	CVE-2025-22535	0.12%	31.6th	8.5	This SQL injection vulnerability in the WPListCal WordPress plugin allows attackers to execute arbit
8824	CVE-2025-22519	0.12%	31.6th	8.5	This SQL injection vulnerability in eDoc Intelligence LLC's eDoc Easy Tables WordPress plugin allows
8825	CVE-2025-22348	0.12%	31.6th	8.5	This SQL injection vulnerability in the DynamicTags WordPress plugin allows attackers to execute arb
8826	CVE-2025-21612	0.12%	31.5th	8.6	This is a cross-site scripting (XSS) vulnerability in the TabberNeue MediaWiki extension that allows
8827	CVE-2024-20148	0.12%	31.5th	9.8	This vulnerability allows remote attackers to execute arbitrary code on affected devices via Wi-Fi w
8828	CVE-2024-39623	0.12%	31.5th	8.8	A Cross-Site Request Forgery (CSRF) vulnerability in the ListingPro WordPress theme allows attackers
8829	CVE-2025-26915	0.12%	31.6th	8.5	This SQL injection vulnerability in the PickPlugins Wishlist WordPress plugin allows attackers to ex
8830	CVE-2025-27312	0.12%	31.6th	8.5	This SQL injection vulnerability in the Jenst WP Sitemap WordPress plugin allows attackers to execut
8831	CVE-2025-22639	0.12%	31.6th	8.5	This SQL injection vulnerability in the Distance Rate Shipping for WooCommerce plugin allows attacke
8832	CVE-2025-26520	0.12%	31.4th	7.6	CVE-2025-26520 is an SQL injection vulnerability in Cacti's host_templates.php file via the graph_te
8833	CVE-2025-25151	0.12%	31.6th	8.5	This SQL injection vulnerability in the uListing WordPress plugin allows attackers to execute arbitr
8834	CVE-2025-24648	0.12%	31.5th	7.5	This vulnerability allows attackers to escalate privileges in WordPress sites using the Admin and Si
8835	CVE-2024-43333	0.12%	31.5th	7.5	This CVE describes a privilege escalation vulnerability in the Admin and Site Enhancements (ASE) Pro
8836	CVE-2025-28939	0.12%	31.6th	8.5	This SQL injection vulnerability in the WP Google Calendar Manager WordPress plugin allows attackers
8837	CVE-2025-27281	0.12%	31.6th	8.5	This SQL injection vulnerability in the All In Menu WordPress plugin allows attackers to execute arb
8838	CVE-2025-26976	0.12%	31.6th	8.5	This SQL injection vulnerability in the PrivateContent WordPress plugin allows attackers to execute
8839	CVE-2024-11216	0.12%	31.5th	7.6	This vulnerability in PozitifIK Pik Online allows attackers to bypass authorization controls and acc
8840	CVE-2025-27263	0.12%	31.6th	8.5	This SQL injection vulnerability in the Doctor Appointment Booking WordPress plugin allows attackers
8841	CVE-2025-46338	0.12%	31.5th	6.1	Audiobookshelf versions before 2.21.0 contain a reflected cross-site scripting (XSS) vulnerability i
8842	CVE-2025-3845	0.12%	31.4th	7.3	A critical buffer overflow vulnerability in markparticle WebServer up to version 1.0 allows remote a
8843	CVE-2025-1456	0.12%	31.5th	6.4	This stored XSS vulnerability in the Royal Elementor Addons WordPress plugin allows authenticated at
8844	CVE-2025-31726	0.12%	31.5th	5.5	The Jenkins Stack Hammer Plugin 1.0.6 and earlier stores API keys unencrypted in job configuration f
8845	CVE-2025-4268	0.12%	31.5th	5.3	This vulnerability allows unauthenticated remote attackers to reboot TOTOLINK A720R routers by acces
8846	CVE-2025-5813	0.12%	31.5th	5.3	The Amazon Products to WooCommerce WordPress plugin has an authentication bypass vulnerability that
8847	CVE-2025-6282	0.12%	31.5th	5.5	This critical path traversal vulnerability in OpenAgents allows attackers to access arbitrary files
8848	CVE-2025-6280	0.12%	31.5th	5.5	This critical vulnerability in TransformerOptimus SuperAGI allows attackers to perform path traversa
8849	CVE-2025-6278	0.12%	31.5th	5.5	This critical vulnerability in Upsonic allows attackers to perform path traversal attacks by manipul
8850	CVE-2025-28388	0.12%	31.5th	9.8	OpenC3 COSMOS versions before v6.0.2 contain hardcoded credentials for a Service Account, allowing a

← Previous Page 177 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free