Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8901	CVE-2025-2387	0.12%	31.3th	7.3	This critical SQL injection vulnerability in SourceCodester Online Food Ordering System 2.0 allows r
8902	CVE-2025-2386	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Local Services Search Engine Management Syst
8903	CVE-2025-2385	0.12%	31.3th	7.3	CVE-2025-2385 is a critical SQL injection vulnerability in Modern Bag 1.0's login.php file that allo
8904	CVE-2025-2379	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Apartment Visitors Management System 1.0 all
8905	CVE-2025-2362	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System 1.0 allows atta
8906	CVE-2025-26961	0.12%	31.3th	8.6	CVE-2025-26961 is an unauthenticated broken access control vulnerability in the Fresh Framework Word
8907	CVE-2024-13924	0.12%	31.4th	5.3	The Starter Templates by FancyWP WordPress plugin has a blind SSRF vulnerability that allows unauthe
8908	CVE-2025-1954	0.12%	31.3th	7.3	This critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management Sys
8909	CVE-2025-1723	0.12%	31.3th	8.1	ManageEngine ADSelfService Plus versions 6510 and below have a session handling vulnerability that a
8910	CVE-2025-31651	0.12%	31.3th	9.8	This vulnerability in Apache Tomcat allows attackers to bypass security constraints by crafting requ
8911	CVE-2024-31397	0.12%	31.3th	4.9	An improper handling of extra values vulnerability in Cybozu Garoon allows authenticated administrat
8912	CVE-2025-3619	0.12%	31.3th	8.8	A critical heap buffer overflow vulnerability in Google Chrome's codec processing allows remote atta
8913	CVE-2025-47889	0.12%	31.2th	9.8	The Jenkins WSO2 Oauth Plugin 1.0 and earlier contains an authentication bypass vulnerability where
8914	CVE-2025-22247	0.12%	31.2th	6.1	CVE-2025-22247 is an insecure file handling vulnerability in VMware Tools that allows non-administra
8915	CVE-2025-45845	0.12%	31.3th	8.8	This vulnerability allows authenticated attackers to execute arbitrary code on TOTOLINK NR1800X rout
8916	CVE-2025-45843	0.12%	31.3th	8.8	This vulnerability allows authenticated attackers to execute arbitrary code on TOTOLINK NR1800X rout
8917	CVE-2014-0468	0.12%	31.2th	9.8	This vulnerability in FusionForge's Apache configuration allows remote code execution by enabling at
8918	CVE-2025-49847	0.12%	31.3th	8.8	A buffer overflow vulnerability in llama.cpp's vocabulary loading code allows attackers to trigger a
8919	CVE-2025-31700	0.12%	31.3th	8.1	A buffer overflow vulnerability in Dahua products allows attackers to send specially crafted packets
8920	CVE-2025-41665	0.12%	31.4th	6.5	An attacker with low-privileged remote access can trigger a watchdog reboot on affected PLC devices
8921	CVE-2025-7050	0.12%	31.4th	7.2	The Use-your-Drive WordPress plugin has a stored XSS vulnerability in the 'title' parameter of file
8922	CVE-2025-51502	0.12%	31.2th	6.1	This vulnerability allows attackers to inject malicious JavaScript via the layout parameter on the a
8923	CVE-2025-11042	0.12%	31.3th	4.3	This vulnerability in GitLab allows attackers to execute specific GraphQL queries that cause uncontr
8924	CVE-2025-46290	0.12%	31.3th	7.5	A logic vulnerability in macOS allows remote attackers to cause denial-of-service conditions. This a
8925	CVE-2025-12250	0.12%	31.4th	4.7	CVE-2025-12250 is a path traversal vulnerability in OpenWGA 7.11.12 Build 737 that allows attackers
8926	CVE-2025-12044	0.12%	31.3th	7.5	Vault and Vault Enterprise are vulnerable to unauthenticated denial of service attacks when processi
8927	CVE-2025-54266	0.12%	31.3th	4.8	A stored cross-site scripting (XSS) vulnerability in Adobe Commerce allows high-privileged attackers
8928	CVE-2025-8682	0.12%	31.2th	4.3	The Newsup WordPress theme has a vulnerability that allows unauthenticated attackers to install the
8929	CVE-2025-52425	0.12%	31.3th	9.8	An SQL injection vulnerability in QuMagie allows remote attackers to execute arbitrary SQL commands.
8930	CVE-2025-68475	0.12%	31.3th	7.5	This CVE describes a Regular Expression Denial of Service (ReDoS) vulnerability in Fedify's document
8931	CVE-2025-15016	0.12%	31.3th	9.8	Enterprise Cloud Database by Ragic contains a hard-coded cryptographic key vulnerability that allows
8932	CVE-2025-43428	0.12%	31.4th	9.8	This CVE describes an authentication bypass vulnerability in Apple's Photos app where unauthorized u
8933	CVE-2025-14521	0.12%	31.2th	4.3	This CVE describes a path traversal vulnerability in baowzh hfly's admin interface that allows attac
8934	CVE-2025-12029	0.12%	31.3th	8.0	This vulnerability allows unauthenticated attackers to inject malicious scripts into GitLab's Swagge
8935	CVE-2025-64111	0.12%	31.3th	9.8	This vulnerability allows attackers to modify files in the .git directory of Gogs installations, pot
8936	CVE-2026-0629	0.12%	31.3th	N/A	This authentication bypass vulnerability in VIGI camera models allows attackers on the same local ne
8937	CVE-2025-65552	0.12%	31.3th	9.8	The D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on its 433 MHz s
8938	CVE-2025-61548	0.12%	31.4th	9.8	This SQL injection vulnerability in Print Shop Pro WebDesk allows remote attackers to execute arbitr
8939	CVE-2025-68456	0.12%	31.3th	9.1	Unauthenticated attackers can trigger database backup operations in vulnerable Craft CMS versions, p
8940	CVE-2026-24936	0.12%	31.4th	9.8	An unauthenticated remote attacker can write arbitrary data to any file on Asustor ADM systems when
8941	CVE-2026-25134	0.12%	31.3th	8.8	This vulnerability allows remote code execution in Group-Office by exploiting improper input validat
8942	CVE-2025-0745	0.12%	31.1th	7.5	An Improper Access Control vulnerability in EmbedAI 2.1 and earlier allows authenticated attackers t
8943	CVE-2024-52329	0.12%	31.1th	7.4	The ECOVACS HOME mobile app plugins for specific robot vacuum models fail to properly validate TLS c
8944	CVE-2024-11147	0.12%	31.2th	7.6	ECOVACS robot lawnmowers and vacuums have a predictable root password generated from model and seria
8945	CVE-2025-22716	0.12%	31.1th	8.5	This SQL injection vulnerability in the Taskbuilder WordPress plugin allows attackers to execute arb
8946	CVE-2024-13257	0.12%	31.2th	5.3	This CVE describes an incorrect authorization vulnerability in Drupal Commerce View Receipt that all
8947	CVE-2024-13256	0.12%	31.1th	7.5	This vulnerability in Drupal's Email Contact module allows attackers to bypass access controls throu
8948	CVE-2024-12918	0.12%	31.1th	8.8	This SQL injection vulnerability in Agito Computer Health4All allows attackers to execute arbitrary
8949	CVE-2024-12916	0.12%	31.1th	8.8	This SQL injection vulnerability in Agito Computer Life4All allows attackers to execute arbitrary SQ
8950	CVE-2025-25510	0.12%	31.2th	6.5	A buffer overflow vulnerability in Tenda AC8 routers allows attackers to execute arbitrary code or c

← Previous Page 179 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free