Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
9251	CVE-2025-48478	0.04%	10.8th	4.9	FreeScout versions before 1.8.180 have a mass assignment vulnerability during user creation that all
9252	CVE-2026-24967	0.04%	10.8th	5.3	This CVE describes a Missing Authorization vulnerability in the Amelia WordPress booking plugin that
9253	CVE-2024-44660	0.04%	10.9th	6.5	PHPGurukul Online Shopping Portal 2.0 contains SQL injection vulnerabilities in the login.php page t
9254	CVE-2025-7845	0.04%	10.6th	6.4	The Stratum – Elementor Widgets WordPress plugin has a stored XSS vulnerability that allows authen
9255	CVE-2026-24982	0.04%	10.8th	5.3	This CVE describes a missing authorization vulnerability in the Spectra plugin for WordPress, allowi
9256	CVE-2025-14112	0.04%	10.7th	6.4	The Snillrik Restaurant plugin for WordPress has a stored cross-site scripting vulnerability in the
9257	CVE-2025-66308	0.04%	10.8th	5.4	A stored XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into
9258	CVE-2024-44662	0.04%	10.9th	6.5	PHPGurukul Online Shopping Portal 2.0 contains a SQL injection vulnerability in the admin login page
9259	CVE-2025-11536	0.04%	11th	5.0	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to pe
9260	CVE-2025-52619	0.04%	10.9th	5.3	HCL BigFix SaaS Authentication Service discloses sensitive version information through error message
9261	CVE-2025-14113	0.04%	10.7th	6.4	The Viitor Button Shortcodes WordPress plugin has a stored XSS vulnerability in all versions up to 3
9262	CVE-2024-44663	0.04%	10.9th	6.5	PHPGurukul Online Shopping Portal 2.0 contains a SQL injection vulnerability in the product paramete
9263	CVE-2025-62070	0.04%	11th	4.3	This CVE describes a Missing Authorization vulnerability in the WPXPO WowRevenue WordPress plugin th
9264	CVE-2025-7726	0.04%	10.6th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
9265	CVE-2025-14114	0.04%	10.7th	6.4	The 1180px Shortcodes WordPress plugin has a stored XSS vulnerability that allows authenticated atta
9266	CVE-2025-66310	0.04%	10.8th	5.4	A stored XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts into
9267	CVE-2025-62071	0.04%	11th	4.3	This CVE describes a Missing Authorization vulnerability in the Repuso Social Proof Testimonials and
9268	CVE-2025-66311	0.04%	10.8th	5.4	This stored XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts in
9269	CVE-2025-62072	0.04%	11th	4.3	This CVE describes a Missing Authorization vulnerability in the Rustaurius Front End Users WordPress
9270	CVE-2025-14121	0.04%	10.7th	6.4	The EDD Download Info WordPress plugin has a stored XSS vulnerability in all versions up to 1.1. Aut
9271	CVE-2025-66312	0.04%	10.8th	5.4	A stored cross-site scripting (XSS) vulnerability in Grav's admin plugin allows attackers to inject
9272	CVE-2025-62073	0.04%	11th	4.3	This CVE describes a Missing Authorization vulnerability in the Sovlix MeetingHub WordPress plugin t
9273	CVE-2026-24991	0.04%	10.8th	5.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Extensions For CF
9274	CVE-2025-14122	0.04%	10.7th	6.4	The AD Sliding FAQ WordPress plugin has a stored XSS vulnerability that allows authenticated attacke
9275	CVE-2024-44664	0.04%	10.9th	6.5	PHPGurukul Online Shopping Portal 2.0 contains a SQL injection vulnerability in product-details.php
9276	CVE-2026-24994	0.04%	10.8th	5.3	This CVE describes a Missing Authorization vulnerability in the Sunshine Photo Cart WordPress plugin
9277	CVE-2025-14387	0.04%	10.8th	6.4	This stored XSS vulnerability in the LearnPress WordPress plugin allows authenticated attackers with
9278	CVE-2026-24997	0.04%	10.7th	5.3	This CVE describes a Missing Authorization vulnerability in the Wired Impact Volunteer Management Wo
9279	CVE-2025-14144	0.04%	10.7th	6.4	The Mstoic Shortcodes WordPress plugin has a stored XSS vulnerability in its YouTube embed shortcode
9280	CVE-2025-14145	0.04%	10.7th	6.4	The Niche Hero WordPress plugin has a stored XSS vulnerability in the 'spacing' parameter of the nh_
9281	CVE-2026-25010	0.04%	10.7th	5.3	This CVE describes a Missing Authorization vulnerability in the WordPress Share This Image plugin th
9282	CVE-2025-14147	0.04%	10.7th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
9283	CVE-2024-13063	0.04%	10.9th	6.8	This vulnerability allows attackers to bypass authorization controls in Akinsoft MyRezzta by manipul
9284	CVE-2025-49604	0.04%	10.9th	5.4	A heap-based buffer overflow vulnerability in Realtek AmebaD devices' WLAN driver defragment functio
9285	CVE-2026-25012	0.04%	10.8th	5.3	This CVE describes a Missing Authorization vulnerability in the WP Bannerize Pro WordPress plugin th
9286	CVE-2023-52986	0.04%	10.8th	5.5	A Linux kernel vulnerability in the BPF sockmap subsystem allows improper handling of cloned listeni
9287	CVE-2025-14453	0.04%	10.7th	6.4	The My Album Gallery WordPress plugin has a stored XSS vulnerability that allows authenticated attac
9288	CVE-2025-13303	0.04%	11th	6.3	This CVE describes a SQL injection vulnerability in the Courier Management System 1.0 by code-projec
9289	CVE-2025-6228	0.04%	10.6th	6.4	This vulnerability allows authenticated attackers with Contributor-level access or higher to inject
9290	CVE-2024-57793	0.04%	10.7th	5.5	This vulnerability in the Linux kernel's TDX guest module could allow an untrusted hypervisor to cau
9291	CVE-2026-24525	0.04%	10.7th	5.3	This vulnerability allows unauthorized users to exploit incorrectly configured access control in Clo
9292	CVE-2026-22348	0.04%	10.8th	5.3	This CVE describes a missing authorization vulnerability in the Civic Cookie Control WordPress plugi
9293	CVE-2025-10081	0.04%	10.7th	4.7	This vulnerability in SourceCodester Pet Management System 1.0 allows remote attackers to upload arb
9294	CVE-2026-25019	0.04%	10.7th	5.3	This CVE describes a Missing Authorization vulnerability in the Atarim Visual Collaboration WordPres
9295	CVE-2021-47920	0.04%	10.6th	5.4	WebMO Job Manager 20.0 contains a reflected cross-site scripting vulnerability in search parameters
9296	CVE-2026-24529	0.04%	10.7th	5.3	This CVE describes a Missing Authorization vulnerability in the Quick Restaurant Reservations WordPr
9297	CVE-2025-12781	0.04%	10.7th	5.3	This CVE describes a base64 decoding inconsistency in Python's base64 module where '+' and '/' chara
9298	CVE-2026-24530	0.04%	10.7th	5.3	This CVE describes a Missing Authorization vulnerability in the sheepfish WebP Conversion WordPress
9299	CVE-2025-43784	0.04%	10.7th	6.5	This CVE describes an improper access control vulnerability in Liferay Portal and DXP where guest us
9300	CVE-2025-14626	0.04%	10.7th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i

← Previous Page 186 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free