Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
9201	CVE-2025-12018	0.04%	11.1th	4.4	The MembershipWorks WordPress plugin is vulnerable to stored cross-site scripting (XSS) in admin set
9202	CVE-2025-23160	0.04%	11.1th	5.5	A resource leak vulnerability in the MediaTek video codec driver for Linux kernel allows attackers t
9203	CVE-2025-20076	0.04%	11.1th	5.0	An improper access control vulnerability in Intel Tiber Edge Platform's Edge Orchestrator software a
9204	CVE-2026-1371	0.04%	11.2th	5.3	This vulnerability in Tutor LMS WordPress plugin allows authenticated attackers with Subscriber-leve
9205	CVE-2025-21840	0.04%	11th	5.5	A Linux kernel vulnerability in the thermal netlink subsystem causes segmentation faults in userspac
9206	CVE-2022-49057	0.04%	11th	5.5	A memory leak vulnerability in the Linux kernel's null_blk block device driver allows timed-out poll
9207	CVE-2025-46267	0.04%	11.3th	4.9	A hidden debug functionality vulnerability exists in specific Elecom wireless routers. Remote attack
9208	CVE-2025-12558	0.04%	11.2th	4.3	The Beaver Builder WordPress plugin up to version 2.9.4 contains an information disclosure vulnerabi
9209	CVE-2026-21694	0.04%	11.2th	6.8	CVE-2026-21694 is an improper access control vulnerability in Titra time tracking software that allo
9210	CVE-2025-43934	0.04%	11.1th	6.0	This path traversal vulnerability in Dell PowerProtect Data Domain allows high-privileged local atta
9211	CVE-2026-0817	0.04%	11th	5.3	A missing authorization vulnerability in MediaWiki's CampaignEvents extension allows authenticated u
9212	CVE-2022-49064	0.04%	11th	5.5	A Linux kernel vulnerability in the cachefiles subsystem where error paths fail to clear the 'in-use
9213	CVE-2026-2109	0.04%	11.1th	5.4	This vulnerability allows unauthorized deletion of categories in jsbroks COCO Annotator through impr
9214	CVE-2025-8226	0.04%	11.3th	4.3	This vulnerability in ChanCMS allows remote attackers to access sensitive information by manipulatin
9215	CVE-2022-49582	0.04%	11th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's DSA (Distributed Switch Architecture)
9216	CVE-2025-13496	0.04%	11.1th	5.3	The Moosend Landing Pages WordPress plugin up to version 1.1.6 has an authorization vulnerability th
9217	CVE-2025-10223	0.04%	11.3th	5.4	This vulnerability allows authenticated attackers (local or remote) to maintain access to the AxxonS
9218	CVE-2025-39907	0.04%	11.3th	5.5	A DMA mapping vulnerability in the Linux kernel's STM32 FMC2 NAND controller driver causes overlappi
9219	CVE-2025-70296	0.04%	11.3th	5.4	A stored HTML injection vulnerability in Mealie 3.3.1 allows authenticated users to inject arbitrary
9220	CVE-2025-51540	0.04%	11.2th	5.3	EzGED3 3.5.0 uses MD5 double-hashing without salting for password storage, making stored credentials
9221	CVE-2025-13123	0.04%	11th	6.3	This CVE describes a SQL injection vulnerability in AMTT Hotel Broadband Operation System 1.0. Attac
9222	CVE-2025-62013	0.04%	11th	4.3	This CVE describes a missing authorization vulnerability in the POSIMYTH UiChemy WordPress plugin. I
9223	CVE-2025-12263	0.04%	11th	6.3	This SQL injection vulnerability in code-projects Online Event Judging System 1.0 allows attackers t
9224	CVE-2025-13667	0.04%	10.7th	6.4	The WP Recipe Manager WordPress plugin has a stored XSS vulnerability in the 'Skill Level' field tha
9225	CVE-2024-50618	0.04%	10.6th	4.3	CVE-2024-50618 is an authentication bypass vulnerability in CIPPlanner CIPAce software where attacke
9226	CVE-2026-23623	0.04%	10.8th	5.3	This vulnerability allows users with view-only access to download files they shouldn't be able to ac
9227	CVE-2025-13841	0.04%	10.7th	6.4	The Smart App Banners WordPress plugin has a stored XSS vulnerability that allows authenticated atta
9228	CVE-2025-13847	0.04%	10.7th	6.4	The PhotoFade WordPress plugin has a stored XSS vulnerability in the 'time' parameter that allows au
9229	CVE-2025-13848	0.04%	10.7th	6.4	The STM Gallery WordPress plugin versions up to 0.9 have a stored cross-site scripting vulnerability
9230	CVE-2025-65442	0.04%	10.7th	6.1	This DOM-based XSS vulnerability in novel V3.5.0 allows attackers to execute arbitrary JavaScript in
9231	CVE-2025-57888	0.04%	10.8th	5.3	This vulnerability in the NooTheme Jobmonster WordPress theme allows unauthorized users to retrieve
9232	CVE-2026-24945	0.04%	10.7th	5.3	This CVE describes a Missing Authorization vulnerability in the Ultimate Addons for Contact Form 7 W
9233	CVE-2025-13849	0.04%	10.7th	6.4	The Cool YT Player WordPress plugin has a stored XSS vulnerability in the 'videoid' parameter that a
9234	CVE-2025-62027	0.04%	11th	5.4	This CVE describes a Missing Authorization vulnerability in the StellarWP Event Tickets WordPress pl
9235	CVE-2025-20324	0.04%	10.6th	5.4	This vulnerability allows low-privileged Splunk users without admin or power roles to create or over
9236	CVE-2025-13887	0.04%	10.7th	6.4	This stored XSS vulnerability in the AI BotKit WordPress plugin allows authenticated attackers with
9237	CVE-2025-11646	0.04%	10.6th	6.3	This vulnerability allows attackers on the same local network to bypass access controls in Tomofun F
9238	CVE-2025-46388	0.04%	10.7th	4.3	CVE-2025-46388 is an information disclosure vulnerability (CWE-200) that allows unauthorized actors
9239	CVE-2025-13367	0.04%	10.7th	6.4	This stored XSS vulnerability in the User Registration & Membership WordPress plugin allows authenti
9240	CVE-2025-13608	0.04%	10.8th	6.4	The CC Child Pages WordPress plugin has a stored cross-site scripting vulnerability that allows auth
9241	CVE-2025-62048	0.04%	11th	5.4	This CVE describes a missing authorization vulnerability in the SmartCrawl SEO WordPress plugin that
9242	CVE-2025-13610	0.04%	10.8th	6.4	This stored XSS vulnerability in the RegistrationMagic WordPress plugin allows authenticated attacke
9243	CVE-2025-62052	0.04%	11th	4.3	This CVE describes a Missing Authorization vulnerability in the One Page Express Companion WordPress
9244	CVE-2025-14053	0.04%	10.7th	6.4	The Wish To Go WordPress plugin has a stored XSS vulnerability that allows authenticated attackers w
9245	CVE-2025-13728	0.04%	10.8th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
9246	CVE-2025-60783	0.04%	10.9th	6.5	This SQL injection vulnerability in Restaurant Management System DBMS Project v1.0 allows attackers
9247	CVE-2024-44654	0.04%	10.9th	6.5	This vulnerability allows attackers to execute arbitrary SQL commands through the email and mobileno
9248	CVE-2025-5900	0.04%	10.6th	4.3	This CSRF vulnerability in Tenda AC9 routers allows attackers to trick authenticated users into perf
9249	CVE-2025-14109	0.04%	10.7th	6.4	The AH Shortcodes WordPress plugin has a stored XSS vulnerability in the 'column' shortcode attribut
9250	CVE-2024-44658	0.04%	10.9th	6.5	PHPGurukul Complaint Management System 2.0 contains a SQL injection vulnerability in the subcategory

← Previous Page 185 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free