Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8851	CVE-2025-5282	0.12%	31.5th	7.5	The WP Travel Engine plugin for WordPress has an unauthenticated data deletion vulnerability. Attack
8852	CVE-2025-40593	0.12%	31.5th	6.5	This vulnerability in Siemens SIMATIC CN 4100 allows attackers to store arbitrary files in the devic
8853	CVE-2025-55383	0.12%	31.5th	8.6	Moss versions before 0.15 have an unrestricted file upload vulnerability that allows attackers to up
8854	CVE-2025-55585	0.12%	31.5th	6.5	This CVE describes an eval injection vulnerability in TOTOLINK A3002R routers that allows attackers
8855	CVE-2025-20225	0.12%	31.5th	5.8	An unauthenticated remote attacker can send crafted IKEv2 packets to trigger a memory leak in affect
8856	CVE-2025-43983	0.12%	31.5th	9.1	KuWFi CPF908-CP5 devices running WEB5.0_LCD_20210125 firmware have unauthenticated API endpoints tha
8857	CVE-2025-33051	0.12%	31.5th	7.5	This vulnerability in Microsoft Exchange Server allows unauthorized attackers to access sensitive in
8858	CVE-2025-54478	0.12%	31.5th	7.2	The Mattermost Confluence Plugin before version 1.5.0 has an authentication bypass vulnerability tha
8859	CVE-2025-53544	0.12%	31.5th	7.5	CVE-2025-53544 is a brute-force protection bypass vulnerability in Trilium Notes that allows unauthe
8860	CVE-2025-29084	0.12%	31.5th	6.5	This SQL injection vulnerability in CSZ-CMS v1.3.0 allows remote attackers to execute arbitrary SQL
8861	CVE-2025-54247	0.12%	31.5th	6.5	Adobe Experience Manager versions 6.5.23.0 and earlier contain an improper input validation vulnerab
8862	CVE-2025-10743	0.12%	31.5th	7.5	This SQL injection vulnerability in the Outdoor WordPress plugin allows unauthenticated attackers to
8863	CVE-2025-49708	0.12%	31.5th	9.9	This is a use-after-free vulnerability in Microsoft Graphics Component that allows an authenticated
8864	CVE-2025-57740	0.12%	31.6th	7.5	A heap-based buffer overflow vulnerability in Fortinet's FortiOS, FortiPAM, and FortiProxy allows au
8865	CVE-2025-60378	0.12%	31.5th	8.1	Authenticated users in RISE Ultimate Project Manager & CRM can inject malicious HTML into invoices a
8866	CVE-2025-65494	0.12%	31.4th	7.5	A NULL pointer dereference vulnerability in OISM libcoap's certificate parsing function allows remot
8867	CVE-2021-47830	0.12%	31.5th	6.5	CVE-2021-47830 is a CSRF vulnerability in GetSimple CMS My SMTP Contact Plugin 1.1.1 that allows att
8868	CVE-2025-61684	0.12%	31.5th	7.5	Quicly, an IETF QUIC protocol implementation, contains assertion failures that allow remote attacker
8869	CVE-2024-43763	0.12%	31.4th	6.5	This CVE describes a logic error in Android's Bluetooth GATT server component that allows nearby att
8870	CVE-2024-45662	0.12%	31.2th	7.5	This vulnerability in IBM Safer Payments allows remote attackers to cause denial of service by explo
8871	CVE-2025-0558	0.12%	31.4th	6.3	This critical SQL injection vulnerability in TDuckCloud tduck-platform allows remote attackers to ex
8872	CVE-2024-52594	0.12%	31.3th	4.3	Gomatrixserverlib, a Go library for Matrix federation, is vulnerable to server-side request forgery
8873	CVE-2025-23112	0.12%	31.3th	6.1	A stored cross-site scripting (XSS) vulnerability in REDCap 14.9.6 allows authenticated users to inj
8874	CVE-2024-56114	0.12%	31.3th	6.5	CVE-2024-56114 is an improper authorization vulnerability in Canlineapp Online 1.1 that allows users
8875	CVE-2024-51737	0.12%	31.2th	7.0	This CVE describes an integer overflow vulnerability in RediSearch, a Redis module for querying and
8876	CVE-2023-46632	0.12%	31.4th	7.1	This CVE describes a Missing Authorization vulnerability in the WordPress My Shortcodes plugin that
8877	CVE-2025-26308	0.12%	31.3th	6.5	A memory leak vulnerability in libming's SWF file parser allows attackers to cause denial of service
8878	CVE-2025-26306	0.12%	31.3th	6.5	A memory leak vulnerability in libming's readSizedString function allows attackers to cause denial o
8879	CVE-2025-0866	0.12%	31.3th	6.5	The Legoeso PDF Manager WordPress plugin contains a time-based SQL injection vulnerability in the 'c
8880	CVE-2024-8893	0.12%	31.3th	7.3	The GoodWe GW1500-XS inverter contains hard-coded Wi-Fi credentials that allow anyone within physica
8881	CVE-2025-1146	0.12%	31.3th	8.1	A TLS certificate validation logic error in CrowdStrike Falcon Linux-based sensors could allow man-i
8882	CVE-2025-25198	0.12%	31.3th	7.1	This vulnerability in mailcow: dockerized allows attackers to manipulate the Host HTTP header during
8883	CVE-2025-26343	0.12%	31.2th	8.1	This vulnerability allows unauthenticated remote attackers to brute-force user PINs in Q-Free MaxTim
8884	CVE-2022-40490	0.12%	31.3th	4.8	CVE-2022-40490 is a Cross-Site Scripting (XSS) vulnerability in Tiny File Manager v2.4.7 and below t
8885	CVE-2025-23023	0.12%	31.4th	8.2	This vulnerability allows attackers to poison the anonymous cache in Discourse by crafting requests
8886	CVE-2024-55948	0.12%	31.4th	8.2	This vulnerability allows attackers to poison the anonymous cache in Discourse through crafted XHR r
8887	CVE-2025-2682	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Bank Locker Management System 1.0 allows rem
8888	CVE-2025-2681	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Bank Locker Management System 1.0 allows att
8889	CVE-2025-2678	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Bank Locker Management System 1.0 allows rem
8890	CVE-2025-2677	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Bank Locker Management System 1.0 allows att
8891	CVE-2025-2675	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Bank Locker Management System 1.0 allows att
8892	CVE-2025-2674	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Bank Locker Management System 1.0 allows att
8893	CVE-2025-2662	0.12%	31.3th	6.3	This critical SQL injection vulnerability in Project Worlds Online Time Table Generator 1.0 allows a
8894	CVE-2025-2654	0.12%	31.2th	7.3	This critical SQL injection vulnerability in SourceCodester AC Repair and Services System 1.0 allows
8895	CVE-2025-2649	0.12%	31.2th	7.3	This critical SQL injection vulnerability in PHPGurukul Doctor Appointment Management System 1.0 all
8896	CVE-2025-2648	0.12%	31.2th	7.3	This critical SQL injection vulnerability in PHPGurukul Art Gallery Management System 1.0 allows rem
8897	CVE-2025-2647	0.12%	31.2th	7.3	This critical SQL injection vulnerability in PHPGurukul Art Gallery Management System 1.0 allows att
8898	CVE-2024-12761	0.12%	31.2th	7.5	A Denial of Service vulnerability in the brycedrennan/imaginairy repository allows attackers to cras
8899	CVE-2024-11043	0.12%	31.2th	7.5	A Denial of Service vulnerability in InvokeAI allows attackers to crash the web interface by sending
8900	CVE-2025-2472	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Apartment Visitors Management System 1.0 all

← Previous Page 178 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free