Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
9201	CVE-2025-25760	0.12%	30.5th	7.5	This SSRF vulnerability in SUCMS v1.0 allows attackers to make the server send requests to internal
9202	CVE-2024-50693	0.12%	30.5th	9.1	This vulnerability allows attackers to bypass authorization controls in SunGrow iSolarCloud's userSe
9203	CVE-2024-50689	0.12%	30.5th	9.1	This vulnerability allows attackers to bypass authorization and access unauthorized organizational d
9204	CVE-2024-50687	0.12%	30.5th	9.1	SunGrow iSolarCloud versions before October 31, 2024 contain an insecure direct object reference (ID
9205	CVE-2024-50685	0.12%	30.5th	9.1	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in SunGrow iSolarCloud's
9206	CVE-2025-1249	0.12%	30.5th	5.3	This CVE describes a missing authorization vulnerability in the Pixelite Events Manager WordPress pl
9207	CVE-2025-26622	0.12%	30.4th	7.5	This vulnerability in Vyper's sqrt() builtin function causes incorrect square root calculations for
9208	CVE-2025-22973	0.12%	30.5th	7.5	This vulnerability in QiboSoft QiboCMS X1.0 allows remote attackers to retrieve sensitive informatio
9209	CVE-2024-37359	0.12%	30.5th	8.6	This is a Server-Side Request Forgery (SSRF) vulnerability in Hitachi Vantara Pentaho Business Analy
9210	CVE-2025-1132	0.12%	30.4th	8.8	A time-based blind SQL injection vulnerability in ChurchCRM versions 5.13.0 and earlier allows authe
9211	CVE-2024-57782	0.12%	30.5th	6.8	A denial-of-service vulnerability in Docker-proxy v18.09.0 allows attackers to crash or degrade the
9212	CVE-2024-51123	0.12%	30.5th	7.5	This vulnerability in Zertificon Z1 SecureMail Gateway allows remote attackers to access sensitive i
9213	CVE-2024-13775	0.12%	30.6th	5.4	The WooCommerce Support Ticket System plugin for WordPress has missing capability checks on three AJ
9214	CVE-2024-12825	0.12%	30.6th	5.4	The Custom Related Posts WordPress plugin has a missing capability check vulnerability that allows a
9215	CVE-2025-2739	0.12%	30.6th	7.3	This critical SQL injection vulnerability in PHPGurukul Old Age Home Management System 1.0 allows at
9216	CVE-2025-26512	0.12%	30.6th	9.9	This vulnerability allows authenticated SnapCenter Server users to escalate privileges to admin leve
9217	CVE-2025-2665	0.12%	30.6th	7.3	This critical SQL injection vulnerability in PHPGurukul Online Security Guards Hiring System 1.0 all
9218	CVE-2025-2646	0.12%	30.6th	7.3	This critical SQL injection vulnerability in PHPGurukul Art Gallery Management System 1.0 allows rem
9219	CVE-2025-2640	0.12%	30.6th	7.3	This critical SQL injection vulnerability in PHPGurukul Doctor Appointment Management System 1.0 all
9220	CVE-2024-13558	0.12%	30.5th	7.5	The NP Quote Request for WooCommerce WordPress plugin has an Insecure Direct Object Reference vulner
9221	CVE-2024-9309	0.12%	30.5th	9.3	This SSRF vulnerability in LLaVA's Controller API Server allows attackers to make the server send un
9222	CVE-2025-25382	0.12%	30.6th	7.5	This vulnerability in the Information Kerala Mission SANCHAYA Property Tax Payment Portal allows att
9223	CVE-2024-48864	0.12%	30.5th	9.1	This vulnerability in QNAP File Station 5 allows remote attackers to read or write files and directo
9224	CVE-2025-0863	0.12%	30.5th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
9225	CVE-2024-12809	0.12%	30.5th	6.4	The Wishlist plugin for WordPress versions up to 1.0.43 contains a stored cross-site scripting (XSS)
9226	CVE-2025-27370	0.12%	30.6th	6.9	This OpenID Connect vulnerability allows malicious Authorization Servers to inject attacker-controll
9227	CVE-2025-32949	0.12%	30.6th	6.5	This vulnerability allows any authenticated user to upload a Zip Bomb archive that causes disk space
9228	CVE-2024-13909	0.12%	30.6th	4.9	This vulnerability allows authenticated WordPress administrators to perform time-based SQL injection
9229	CVE-2025-48938	0.12%	30.6th	9.8	A critical vulnerability in go-gh versions before 2.12.1 allows remote code execution when users int
9230	CVE-2025-31644	0.12%	30.6th	8.7	A command injection vulnerability in F5 BIG-IP Appliance mode allows authenticated administrators to
9231	CVE-2025-50213	0.12%	30.6th	9.8	This CVE describes a SQL injection vulnerability in Apache Airflow's Snowflake provider where unsani
9232	CVE-2025-6091	0.12%	30.5th	8.8	A critical buffer overflow vulnerability in H3C GR-3000AX routers allows remote attackers to execute
9233	CVE-2025-6090	0.12%	30.5th	8.8	A critical buffer overflow vulnerability in H3C GR-5400AX routers allows remote attackers to execute
9234	CVE-2024-38824	0.12%	30.6th	9.6	CVE-2024-38824 is a critical directory traversal vulnerability in SaltStack's recv_file method that
9235	CVE-2025-47968	0.12%	30.5th	7.8	CVE-2025-47968 is a local privilege escalation vulnerability in Microsoft AutoUpdate (MAU) caused by
9236	CVE-2025-48877	0.12%	30.6th	9.8	This vulnerability in Discourse allows attackers to execute arbitrary JavaScript within iframes when
9237	CVE-2025-7493	0.12%	30.5th	9.1	This CVE-2025-7493 is a privilege escalation vulnerability in FreeIPA where an attacker can gain dom
9238	CVE-2025-8877	0.12%	30.5th	7.5	This SQL injection vulnerability in the AffiliateWP WordPress plugin allows unauthenticated attacker
9239	CVE-2025-59527	0.12%	30.4th	7.5	This Server-Side Request Forgery (SSRF) vulnerability in Flowise version 3.0.5 allows attackers to u
9240	CVE-2025-9943	0.12%	30.4th	9.1	An SQL injection vulnerability in Shibboleth Service Provider allows unauthenticated attackers to ex
9241	CVE-2025-11501	0.12%	30.5th	7.5	The Dynamically Display Posts WordPress plugin has an SQL injection vulnerability that allows unauth
9242	CVE-2025-9200	0.12%	30.5th	7.5	This SQL injection vulnerability in the Blappsta Mobile App Plugin for WordPress allows unauthentica
9243	CVE-2025-9587	0.12%	30.5th	8.6	This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress s
9244	CVE-2025-36250	0.12%	30.5th	10.0	This vulnerability allows remote attackers to execute arbitrary commands on IBM AIX and VIOS systems
9245	CVE-2025-12922	0.12%	30.6th	6.3	This vulnerability allows remote attackers to perform path traversal attacks via the xml_file parame
9246	CVE-2025-68618	0.12%	30.5th	5.3	ImageMagick versions before 7.1.2-12 contain a denial-of-service vulnerability when processing malic
9247	CVE-2025-12398	0.12%	30.6th	6.1	The Product Table for WooCommerce WordPress plugin contains a reflected cross-site scripting (XSS) v
9248	CVE-2025-11496	0.12%	30.6th	6.1	This stored XSS vulnerability in the Five Star Restaurant Reservations WordPress plugin allows unaut
9249	CVE-2025-14154	0.12%	30.6th	6.1	This stored XSS vulnerability in the Better Messages WordPress plugin allows unauthenticated attacke
9250	CVE-2025-62849	0.12%	30.5th	9.8	This SQL injection vulnerability in QNAP operating systems allows remote attackers to execute arbitr

← Previous Page 185 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free