Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
9251	CVE-2025-12076	0.12%	30.6th	6.1	The Social Media Auto Publish WordPress plugin contains a reflected cross-site scripting vulnerabili
9252	CVE-2025-12834	0.12%	30.6th	6.1	This vulnerability allows unauthenticated attackers to inject malicious scripts via the 'failure_mes
9253	CVE-2023-7335	0.12%	30.5th	N/A	EduSoho versions before 22.4.7 contain an unauthenticated path traversal vulnerability in the classr
9254	CVE-2026-23833	0.12%	30.6th	7.5	An integer overflow vulnerability in ESPHome's API protobuf decoder allows denial-of-service attacks
9255	CVE-2025-14875	0.12%	30.6th	6.1	The HBLPAY Payment Gateway for WooCommerce WordPress plugin contains a reflected cross-site scriptin
9256	CVE-2025-59389	0.12%	30.5th	9.8	An SQL injection vulnerability in Hyper Data Protector allows remote attackers to execute unauthoriz
9257	CVE-2025-48985	0.12%	30.6th	3.7	This vulnerability in Vercel's AI SDK allows users to bypass filetype whitelists when uploading file
9258	CVE-2025-70758	0.12%	30.6th	7.5	This CVE describes an authentication bypass vulnerability in chetans9 core-php-admin-panel where the
9259	CVE-2024-51670	0.12%	30.5th	5.9	This stored cross-site scripting (XSS) vulnerability in the JS Help Desk WordPress plugin allows att
9260	CVE-2024-54523	0.12%	30.4th	6.3	This vulnerability allows an app to corrupt coprocessor memory due to insufficient bounds checks. It
9261	CVE-2025-24600	0.12%	30.4th	5.3	CVE-2025-24600 is a missing authorization vulnerability in the RSVPMaker WordPress plugin that allow
9262	CVE-2024-55959	0.12%	30.3th	9.1	CVE-2024-55959 is an insecure permissions vulnerability in Northern.tech Mender Client that allows l
9263	CVE-2025-22318	0.12%	30.4th	7.5	This CVE describes a Missing Authorization vulnerability in the Standard Box Sizes plugin for WooCom
9264	CVE-2025-0540	0.12%	30.3th	6.3	This vulnerability allows remote attackers to execute SQL injection attacks via the 'expcat' paramet
9265	CVE-2025-0536	0.12%	30.3th	6.3	A critical SQL injection vulnerability in 1000 Projects Attendance Tracking Management System 1.0 al
9266	CVE-2024-54540	0.12%	30.4th	4.3	This CVE describes an input sanitization vulnerability in Apple Music for Windows that could allow i
9267	CVE-2025-22560	0.12%	30.4th	5.3	This CVE describes a Missing Authorization vulnerability in the Saoshyant Page Builder WordPress plu
9268	CVE-2025-0296	0.12%	30.3th	6.3	CVE-2025-0296 is a critical SQL injection vulnerability in code-projects Online Book Shop 1.0 that a
9269	CVE-2025-26965	0.12%	30.4th	5.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Amelia WordPress
9270	CVE-2024-13500	0.12%	30.4th	6.5	This vulnerability allows authenticated attackers with Subscriber-level access or higher to perform
9271	CVE-2024-12379	0.12%	30.4th	6.5	This vulnerability allows attackers to cause denial of service in GitLab by creating unbounded symbo
9272	CVE-2025-1172	0.12%	30.3th	6.3	This critical SQL injection vulnerability in 1000 Projects Bookstore Management System 1.0 allows at
9273	CVE-2022-26388	0.12%	30.3th	6.4	This CVE describes a hard-coded password vulnerability in multiple Hillrom ELI electrocardiograph de
9274	CVE-2025-0943	0.12%	30.3th	6.3	CVE-2025-0943 is a critical SQL injection vulnerability in Tailoring Management System 1.0 that allo
9275	CVE-2025-28893	0.12%	30.4th	9.9	This CVE describes a critical remote code execution vulnerability in the Visual Text Editor WordPres
9276	CVE-2025-2655	0.12%	30.4th	7.3	This SQL injection vulnerability in SourceCodester AC Repair and Services System 1.0 allows attacker
9277	CVE-2025-2628	0.12%	30.3th	6.3	This critical vulnerability in PHPGurukul Art Gallery Management System 1.1 allows remote attackers
9278	CVE-2025-1311	0.12%	30.4th	6.5	This SQL injection vulnerability in the WooCommerce Multivendor Marketplace REST API plugin allows a
9279	CVE-2025-2602	0.12%	30.3th	6.3	This critical SQL injection vulnerability in SourceCodester Kortex Lite Advocate Office Management S
9280	CVE-2025-30334	0.12%	30.3th	6.5	A vulnerability in OpenBSD's wg(4) WireGuard implementation allows specially crafted network traffic
9281	CVE-2025-2471	0.12%	30.3th	6.3	This is a critical SQL injection vulnerability in PHPGurukul Boat Booking System 1.0 that allows rem
9282	CVE-2025-2373	0.12%	30.3th	6.3	This critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management Sys
9283	CVE-2025-27593	0.12%	30.4th	9.3	CVE-2025-27593 allows attackers to distribute malicious code via SDD Device Drivers due to missing d
9284	CVE-2025-2051	0.12%	30.3th	6.3	This critical SQL injection vulnerability in PHPGurukul Apartment Visitors Management System 1.0 all
9285	CVE-2025-2037	0.12%	30.3th	6.3	This critical SQL injection vulnerability in Blood Bank Management System 1.0 allows remote attacker
9286	CVE-2025-2033	0.12%	30.3th	6.3	A critical SQL injection vulnerability exists in code-projects Blood Bank Management System 1.0, spe
9287	CVE-2025-26988	0.12%	30.4th	9.3	This SQL injection vulnerability in the SMS Alert Order Notifications WooCommerce plugin allows atta
9288	CVE-2025-1855	0.12%	30.3th	6.3	This critical SQL injection vulnerability in PHPGurukul Online Shopping Portal 2.1 allows remote att
9289	CVE-2025-24346	0.12%	30.3th	7.5	A vulnerability in the Proxy functionality of ctrlX OS allows authenticated low-privileged attackers
9290	CVE-2025-30194	0.12%	30.4th	7.5	This vulnerability allows attackers to cause a denial of service in DNSdist by sending specially cra
9291	CVE-2025-3984	0.12%	30.4th	5.0	This critical vulnerability in Apereo CAS 5.2.6 allows remote attackers to execute arbitrary code th
9292	CVE-2025-30304	0.12%	30.4th	7.8	Adobe Framemaker versions 2020.8, 2022.6 and earlier contain an out-of-bounds write vulnerability th
9293	CVE-2025-30299	0.12%	30.4th	7.8	Adobe Framemaker versions 2020.8, 2022.6 and earlier contain a heap-based buffer overflow vulnerabil
9294	CVE-2025-30297	0.12%	30.4th	7.8	Adobe Framemaker versions 2020.8, 2022.6 and earlier contain an out-of-bounds write vulnerability th
9295	CVE-2025-30295	0.12%	30.4th	7.8	Adobe Framemaker versions 2020.8, 2022.6 and earlier contain a heap-based buffer overflow vulnerabil
9296	CVE-2025-27195	0.12%	30.4th	7.8	CVE-2025-27195 is a heap-based buffer overflow vulnerability in Adobe Media Encoder that could allow
9297	CVE-2025-27193	0.12%	30.4th	7.8	CVE-2025-27193 is a heap-based buffer overflow vulnerability in Adobe Bridge that could allow arbitr
9298	CVE-2025-27182	0.12%	30.4th	7.8	CVE-2025-27182 is an out-of-bounds write vulnerability in Adobe After Effects that could allow arbit
9299	CVE-2025-31170	0.12%	30.4th	8.4	This CVE describes an access control vulnerability in Huawei's security verification module that all
9300	CVE-2024-58126	0.12%	30.4th	8.4	This CVE describes an authentication bypass vulnerability in Huawei's security verification module t

← Previous Page 186 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free