Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8901	CVE-2024-35164	0.04%	11.6th	6.8	This vulnerability in Apache Guacamole allows authenticated attackers with access to text-based conn
8902	CVE-2025-63073	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the The7 WordPress theme allows attackers
8903	CVE-2025-66036	0.04%	11.8th	6.1	Retro platform versions before 2.4.7 contain a cross-site scripting (XSS) vulnerability in input han
8904	CVE-2025-63075	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the Betheme WordPress theme allows attack
8905	CVE-2025-64355	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in Crocoblock JetElements For Elementor allo
8906	CVE-2025-63021	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the Valenti Engine WordPress plugin allow
8907	CVE-2025-34237	0.04%	11.5th	5.4	Advantech WebAccess/VPN versions before 1.1.5 contain a stored cross-site scripting vulnerability in
8908	CVE-2025-70336	0.04%	11.6th	4.8	A stored cross-site scripting (XSS) vulnerability in PodcastGenerator 3.2.9 allows attackers to inje
8909	CVE-2025-10646	0.04%	11.7th	4.3	The Search Exclude WordPress plugin has an authorization vulnerability that allows authenticated use
8910	CVE-2024-45777	0.04%	11.6th	6.7	This vulnerability in grub2 allows attackers to trigger an out-of-bounds write when processing langu
8911	CVE-2025-69033	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the Blog Filter WordPress plugin allows a
8912	CVE-2024-45780	0.04%	11.6th	6.7	CVE-2024-45780 is a heap buffer overflow vulnerability in grub2's tar file parser that allows intege
8913	CVE-2025-69088	0.04%	11.5th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in the Combo Offers WooCommerce WordPress pl
8914	CVE-2025-69089	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Auto Listings WordPress plugin allows at
8915	CVE-2025-69092	0.04%	11.5th	6.5	This DOM-based XSS vulnerability in Essential Addons for Elementor allows attackers to inject malici
8916	CVE-2025-62982	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the Dynamic User Directory WordPress plugin
8917	CVE-2025-24089	0.04%	11.6th	5.3	This CVE describes a permissions vulnerability in iOS/iPadOS that allows malicious apps to enumerate
8918	CVE-2025-62094	0.04%	11.5th	6.5	This Cross-Site Scripting (XSS) vulnerability in Void Elementor WHMCS Elements for Elementor Page Bu
8919	CVE-2026-23063	0.04%	11.8th	5.5	This Linux kernel vulnerability in the uacce subsystem allows race conditions during queue release o
8920	CVE-2025-14052	0.04%	11.4th	6.3	This vulnerability in youlai-mall allows attackers to bypass access controls by manipulating the mem
8921	CVE-2025-12015	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to di
8922	CVE-2025-13149	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with author-level permissions or higher to m
8923	CVE-2025-69334	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WPFactory Wishlist for WooCommerce plugi
8924	CVE-2025-62988	0.04%	11.5th	4.9	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the WordPress Slider Templa
8925	CVE-2026-0627	0.04%	11.5th	6.4	The AMP for WP WordPress plugin has a stored cross-site scripting vulnerability in versions up to 1.
8926	CVE-2025-66125	0.04%	11.6th	5.3	This vulnerability in the Ultimate Auction WordPress plugin exposes sensitive embedded data through
8927	CVE-2025-10570	0.04%	11.7th	4.3	The Flexible Refund and Return Order for WooCommerce WordPress plugin has an authorization flaw that
8928	CVE-2025-57764	0.04%	11.3th	6.5	A reflected cross-site scripting (XSS) vulnerability in WeGIA web management software allows attacke
8929	CVE-2025-22241	0.04%	11.6th	5.6	This vulnerability in SaltStack allows attackers to overwrite files in the pki directory by exploiti
8930	CVE-2025-49089	0.04%	11.5th	6.3	MoneyPrinterTurbo 1.2.6 contains a path traversal vulnerability that allows attackers to read arbitr
8931	CVE-2025-57765	0.04%	11.3th	6.5	A reflected cross-site scripting (XSS) vulnerability in WeGIA's pre_cadastro_adotante.php endpoint a
8932	CVE-2025-49246	0.04%	11.8th	4.3	This CVE describes a Missing Authorization vulnerability in the Testimonials Showcase WordPress plug
8933	CVE-2025-13729	0.04%	11.5th	6.4	The Entry Views WordPress plugin has a stored cross-site scripting (XSS) vulnerability that allows a
8934	CVE-2025-11277	0.04%	11.6th	5.3	A heap-based buffer overflow vulnerability exists in Assimp 6.0.2's Q3D file parser. Attackers with
8935	CVE-2025-66420	0.04%	11.6th	5.4	This vulnerability allows cross-site scripting (XSS) attacks through HTML attachments in Tryton's we
8936	CVE-2025-66421	0.04%	11.6th	5.4	This Cross-Site Scripting (XSS) vulnerability in Tryton sao allows attackers to inject malicious scr
8937	CVE-2025-13109	0.04%	11.7th	4.3	This vulnerability in the HUSKY – Products Filter Professional for WooCommerce WordPress plugin al
8938	CVE-2025-62719	0.04%	11.6th	4.3	This SSRF vulnerability in LinkAce allows authenticated attackers to make the application server sen
8939	CVE-2025-47626	0.04%	11.5th	5.9	This stored cross-site scripting (XSS) vulnerability in the Submission DOM tracking for Contact Form
8940	CVE-2025-69350	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Themepoints Accordion WordPress plugin a
8941	CVE-2025-13354	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with subscriber-level access or higher to me
8942	CVE-2025-10054	0.04%	11.6th	5.3	The ELEX WordPress HelpDesk plugin has an authorization vulnerability that allows authenticated user
8943	CVE-2025-66424	0.04%	11.6th	6.5	Tryton trytond versions before 7.6.11, 7.4.21, 7.0.40, and 6.0.70 fail to enforce access controls du
8944	CVE-2025-54759	0.04%	11.5th	6.1	Sante PACS Server contains a stored cross-site scripting vulnerability that allows attackers to inje
8945	CVE-2025-13359	0.04%	11.3th	6.5	This SQL injection vulnerability in the TaxoPress WordPress plugin allows authenticated attackers wi
8946	CVE-2025-54862	0.04%	11.3th	5.4	Sante PACS Server web portal contains a stored cross-site scripting vulnerability that allows attack
8947	CVE-2025-0691	0.04%	11.4th	5.0	This vulnerability allows authenticated users in Devolutions Server to bypass client-side validation
8948	CVE-2024-38320	0.04%	11.5th	5.9	IBM Storage Protect for Virtual Environments and Backup-Archive Client versions 8.1.0.0 through 8.1.
8949	CVE-2025-13756	0.04%	11.7th	4.3	The Fluent Booking WordPress plugin has an authorization vulnerability that allows any authenticated
8950	CVE-2025-66094	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in Yada Wiki WordPress plugin allows attackers

← Previous Page 179 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free