Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
9001	CVE-2025-22350	0.12%	31th	7.6	This SQL injection vulnerability in the WpIndeed Ultimate Learning Pro WordPress plugin allows attac
9002	CVE-2025-22536	0.12%	31th	7.6	This SQL injection vulnerability in the WP Music Player WordPress plugin allows attackers to execute
9003	CVE-2025-22533	0.12%	31th	7.6	This SQL injection vulnerability in the WOOEXIM WordPress plugin allows attackers to execute arbitra
9004	CVE-2025-22507	0.12%	31th	7.6	This SQL injection vulnerability in the WPMU Prefill Post WordPress plugin allows attackers to execu
9005	CVE-2025-22502	0.12%	31th	7.6	This SQL injection vulnerability in MindValley Super PageMash WordPress plugin allows attackers to e
9006	CVE-2025-22351	0.12%	31th	7.6	This SQL injection vulnerability in the Contact Form 7 Database – CFDB7 WordPress plugin allows at
9007	CVE-2025-22349	0.12%	31th	7.6	This SQL injection vulnerability in the WordPress Auction Plugin allows attackers to execute arbitra
9008	CVE-2025-26946	0.12%	31th	7.6	This SQL injection vulnerability in the WP Yelp Review Slider WordPress plugin allows attackers to e
9009	CVE-2025-26911	0.12%	31th	4.3	The Bowo System Dashboard WordPress plugin exposes sensitive system information to unauthorized user
9010	CVE-2025-27297	0.12%	31th	7.6	This SQL injection vulnerability in the Bravo Search & Replace WordPress plugin allows attackers to
9011	CVE-2024-13462	0.12%	30.9th	6.4	The WP Wiki Tooltip WordPress plugin has a stored XSS vulnerability that allows authenticated attack
9012	CVE-2024-11778	0.12%	30.9th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
9013	CVE-2025-26755	0.12%	31th	7.6	This SQL injection vulnerability in the WP Airbnb Review Slider WordPress plugin allows attackers to
9014	CVE-2025-26473	0.12%	31th	7.5	The Mojave Inverter uses HTTP GET requests to transmit sensitive information, potentially exposing c
9015	CVE-2025-25281	0.12%	31th	7.5	This vulnerability allows attackers to manipulate URLs to access sensitive network information throu
9016	CVE-2025-24436	0.12%	31th	4.3	Adobe Commerce has an incorrect authorization vulnerability that allows low-privileged attackers to
9017	CVE-2025-24421	0.12%	31th	4.3	Adobe Commerce has an incorrect authorization vulnerability that allows low-privileged attackers to
9018	CVE-2025-25116	0.12%	31th	7.6	This SQL injection vulnerability in the WordPress 'Link to URL / Post' plugin allows attackers to ex
9019	CVE-2025-22691	0.12%	31th	7.6	This SQL injection vulnerability in the WP Travel WordPress plugin allows attackers to execute arbit
9020	CVE-2024-8898	0.12%	31th	9.8	A path traversal vulnerability in parisneo/lollms-webui version V12 allows attackers to create or de
9021	CVE-2025-2108	0.12%	30.9th	6.4	This stored XSS vulnerability in the Xpro Elementor Addons WordPress plugin allows authenticated att
9022	CVE-2024-5667	0.12%	30.9th	6.4	This CVE describes a stored cross-site scripting (XSS) vulnerability in multiple WordPress plugins t
9023	CVE-2025-1008	0.12%	30.9th	6.4	This stored XSS vulnerability in the Recently Purchased Products For Woo WordPress plugin allows aut
9024	CVE-2025-24654	0.12%	31th	7.1	This CVE describes a Missing Authorization vulnerability in the Squirrly SEO WordPress plugin that a
9025	CVE-2025-1491	0.12%	30.9th	6.4	The WP Posts Carousel WordPress plugin has a stored XSS vulnerability in versions up to 1.3.7. Authe
9026	CVE-2025-45019	0.12%	31th	5.4	A SQL injection vulnerability in PHPGurukul Park Ticketing Management System v2.0 allows remote atta
9027	CVE-2025-43865	0.12%	31th	8.2	React Router versions 7.0.x before 7.5.2 allow attackers to modify pre-rendered data by adding speci
9028	CVE-2025-35965	0.12%	31th	6.5	This vulnerability allows attackers to create task items with excessive actions via the UpdateRunTas
9029	CVE-2025-29816	0.12%	31th	7.5	This vulnerability allows attackers to bypass security features in Microsoft Word through improper i
9030	CVE-2025-21896	0.12%	31th	7.8	A use-after-free vulnerability in the Linux kernel's FUSE filesystem implementation allows attackers
9031	CVE-2025-47294	0.12%	31th	5.3	An integer overflow vulnerability in Fortinet FortiOS allows remote unauthenticated attackers to cra
9032	CVE-2025-47282	0.12%	31th	9.9	A privilege escalation vulnerability in Gardener External DNS Management allows users with administr
9033	CVE-2025-7821	0.12%	31th	5.3	The WC Plus WordPress plugin has an authentication bypass vulnerability that allows unauthenticated
9034	CVE-2022-31491	0.12%	31th	10.0	This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code on Vol
9035	CVE-2025-54864	0.12%	31th	7.5	This vulnerability allows unauthenticated API calls to trigger resource-intensive evaluations in Hyd
9036	CVE-2025-3320	0.12%	30.9th	8.1	CVE-2025-3320 is a heap-based buffer overflow vulnerability in IBM Tivoli Monitoring that allows rem
9037	CVE-2025-11576	0.12%	30.9th	4.3	This CSV injection vulnerability in the AI Chatbot Free Models WordPress plugin allows unauthenticat
9038	CVE-2025-59978	0.12%	31th	9.0	This stored XSS vulnerability in Juniper Networks Junos Space allows attackers to inject malicious s
9039	CVE-2025-61183	0.12%	31th	6.1	This cross-site scripting (XSS) vulnerability in VaahCMS v2.3.1 allows remote attackers to inject ma
9040	CVE-2025-41729	0.12%	31th	7.5	An unauthenticated remote attacker can send a specially crafted Modbus read command to vulnerable de
9041	CVE-2025-13641	0.12%	30.9th	8.8	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
9042	CVE-2025-62847	0.12%	31th	7.5	This CVE describes an argument injection vulnerability in QNAP operating systems where attackers can
9043	CVE-2025-14068	0.12%	30.9th	7.5	The WPNakama WordPress plugin contains a time-based SQL injection vulnerability in the 'order_by' pa
9044	CVE-2025-14520	0.12%	31th	5.4	This CVE describes a path traversal vulnerability in baowzh hfly's admin interface that allows remot
9045	CVE-2025-12641	0.12%	31th	6.5	This vulnerability allows unauthenticated attackers to demote WordPress administrators to low-privil
9046	CVE-2026-0408	0.12%	31th	8.0	A path traversal vulnerability in NETGEAR WiFi range extenders allows authenticated LAN attackers to
9047	CVE-2025-15346	0.12%	31.1th	N/A	This vulnerability in wolfssl-py allows attackers to bypass mutual TLS (mTLS) client authentication
9048	CVE-2025-0846	0.12%	30.8th	7.3	This critical SQL injection vulnerability in 1000 Projects Employee Task Management System 1.0 allow
9049	CVE-2025-0527	0.12%	30.8th	7.3	This critical vulnerability in code-projects Admission Management System 1.0 allows remote attackers
9050	CVE-2025-0060	0.12%	30.9th	6.5	This vulnerability allows authenticated users with restricted access in SAP BusinessObjects Business

← Previous Page 181 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free