Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
9151	CVE-2022-49237	0.04%	11th	5.5	This CVE describes a memory leak vulnerability in the Linux kernel's ath11k wireless driver. The dri
9152	CVE-2025-14048	0.04%	11.1th	4.4	The SimplyConvert WordPress plugin has a stored XSS vulnerability in all versions up to 1.0 that all
9153	CVE-2022-49500	0.04%	11th	5.5	This CVE addresses a kernel panic vulnerability in the wl1251 Wi-Fi driver for Linux. When using vma
9154	CVE-2025-7031	0.04%	11.3th	5.3	This vulnerability allows unauthenticated attackers to access configuration pages in Drupal that sho
9155	CVE-2025-48010	0.04%	11.3th	4.8	This CVE describes an authentication bypass vulnerability in the Drupal One Time Password module tha
9156	CVE-2025-62088	0.04%	11.2th	5.4	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the WordPress & WooCommerce
9157	CVE-2025-48012	0.04%	11.3th	4.8	CVE-2025-48012 is an authentication bypass vulnerability in Drupal's One Time Password module that a
9158	CVE-2025-14170	0.04%	11.1th	5.3	The Vimeo SimpleGallery WordPress plugin has a missing authorization vulnerability that allows authe
9159	CVE-2025-64249	0.04%	11.2th	4.8	This vulnerability allows attackers to bypass authorization controls in the Protect WP Admin WordPre
9160	CVE-2025-21900	0.04%	11.1th	5.5	This CVE describes a deadlock vulnerability in the Linux kernel's NFSv4 client when recovering state
9161	CVE-2025-45029	0.04%	11.1th	6.5	This vulnerability allows attackers to execute arbitrary code or cause denial of service on WINSTAR
9162	CVE-2025-49402	0.04%	11.2th	6.5	This CVE describes a missing authorization vulnerability in the Houzez CRM WordPress plugin that all
9163	CVE-2025-53322	0.04%	11.2th	5.3	This vulnerability in the Accept Authorize.NET Payments Using Contact Form 7 WordPress plugin expose
9164	CVE-2024-12298	0.04%	11.1th	5.5	This vulnerability in NB-series NX-Designer allows attackers to exploit XML External Entity (XXE) pr
9165	CVE-2025-7127	0.04%	11.2th	4.7	This critical SQL injection vulnerability in the itsourcecode Employee Management System allows atta
9166	CVE-2025-8171	0.04%	11th	6.3	This critical vulnerability in code-projects Document Management System 1.0 allows remote attackers
9167	CVE-2025-65892	0.04%	11.1th	6.1	This vulnerability allows remote unauthenticated attackers to execute arbitrary JavaScript in users'
9168	CVE-2025-64358	0.04%	11.3th	4.3	This CVE describes a missing authorization vulnerability in the WebToffee Smart Coupons for WooComme
9169	CVE-2025-49406	0.04%	11.1th	5.3	This CVE describes a missing authorization vulnerability in the Houzez WordPress theme that allows a
9170	CVE-2026-2216	0.04%	11.2th	4.3	This path traversal vulnerability in rachelos WeRSS we-mp-rss allows remote attackers to read arbitr
9171	CVE-2025-49408	0.04%	11.2th	4.9	This vulnerability in the Templately WordPress plugin exposes sensitive embedded data through sent i
9172	CVE-2025-64265	0.04%	11.3th	4.3	This CVE describes a Missing Authorization vulnerability in the N-Media Frontend File Manager WordPr
9173	CVE-2025-64269	0.04%	11.3th	4.3	This CVE describes a missing authorization vulnerability in the WooCommerce PDF Invoice Builder Word
9174	CVE-2025-54380	0.04%	11.2th	6.5	Opencast versions before 17.6 incorrectly send hashed global system account credentials to attacker-
9175	CVE-2025-66132	0.04%	11.2th	6.5	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the FAPI Member WordP
9176	CVE-2025-64274	0.04%	11.3th	4.3	This CVE describes a Missing Authorization vulnerability in the WPKoi Templates for Elementor WordPr
9177	CVE-2025-20307	0.04%	11.2th	4.8	An authenticated cross-site scripting (XSS) vulnerability in Cisco BroadWorks CommPilot's web manage
9178	CVE-2025-37998	0.04%	11.3th	5.5	This vulnerability in the Linux kernel's Open vSwitch module involves unsafe Netlink attribute parsi
9179	CVE-2022-50684	0.04%	11.1th	6.1	This HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML con
9180	CVE-2023-53736	0.04%	11.3th	5.4	This reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to
9181	CVE-2025-49288	0.04%	11.1th	4.3	This vulnerability allows attackers to bypass authorization controls in the Ultimate WP Mail WordPre
9182	CVE-2023-53738	0.04%	11.3th	5.4	This reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated attacker
9183	CVE-2025-39876	0.04%	11.3th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's FEC (Fast Ethernet Controller) driver
9184	CVE-2025-0986	0.04%	11.1th	4.5	This vulnerability in IBM PowerVM Hypervisor firmware allows a local user with specific Linux proces
9185	CVE-2025-14347	0.04%	11.1th	6.3	This CVE describes a reflected cross-site scripting (XSS) vulnerability in Proliz Software Ltd.'s OB
9186	CVE-2025-50468	0.04%	11th	6.5	OpenMetadata versions up to 1.4.4 contain a SQL injection vulnerability in the DocStoreDAO interface
9187	CVE-2026-1423	0.04%	11.2th	6.3	This vulnerability in code-projects Online Examination System 1.0 allows attackers to upload arbitra
9188	CVE-2025-14095	0.04%	11.3th	6.8	A privilege boundary violation vulnerability in Radiometer medical analyzers allows users with physi
9189	CVE-2022-49552	0.04%	11.1th	5.5	A Linux kernel vulnerability in the BPF subsystem where JIT blinding incorrectly randomizes special
9190	CVE-2025-25818	0.04%	11.2th	5.1	This cross-site scripting (XSS) vulnerability in Emlog Pro allows attackers to inject malicious scri
9191	CVE-2025-6700	0.04%	11th	4.3	This vulnerability allows attackers to inject malicious scripts via the errorMsg parameter in the xx
9192	CVE-2025-66077	0.04%	11.3th	4.3	This CVE describes a Missing Authorization vulnerability in the Legal Pages WordPress plugin that al
9193	CVE-2025-50031	0.04%	11.2th	6.5	This CVE describes a Missing Authorization vulnerability in the DB Backup WordPress plugin that allo
9194	CVE-2024-58317	0.04%	11.1th	5.3	A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL re
9195	CVE-2025-66082	0.04%	11.3th	4.3	This CVE describes a Missing Authorization vulnerability in the WpEvently mage-eventpress WordPress
9196	CVE-2025-60151	0.04%	11.3th	4.7	This CVE describes an open redirect vulnerability in the WP Gravity Forms HubSpot plugin for WordPre
9197	CVE-2025-66083	0.04%	11.3th	4.3	This CVE describes a missing authorization vulnerability in the WpEvently mage-eventpress WordPress
9198	CVE-2025-66084	0.04%	11.3th	4.3	This CVE describes a Missing Authorization vulnerability in the FluentCommunity WordPress plugin tha
9199	CVE-2025-21958	0.04%	11.1th	4.7	This CVE describes a race condition in the Linux kernel's Open vSwitch conntrack module where attemp
9200	CVE-2025-66085	0.04%	11.3th	4.3	This CVE describes a Missing Authorization vulnerability in the Arconix Shortcodes WordPress plugin

← Previous Page 184 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free