Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
9351	CVE-2025-46660	0.04%	10.8th	5.3	This vulnerability in 4C Strategies Exonaut 21.6 allows attackers to more easily crack user password
9352	CVE-2025-26047	0.04%	10.9th	5.1	Loggrove v1.0 contains a SQL injection vulnerability in the read.py file that allows attackers to ex
9353	CVE-2025-66500	0.04%	10.9th	6.3	A stored cross-site scripting vulnerability in webplugins.foxit.com allows attackers to inject malic
9354	CVE-2025-64212	0.04%	11th	5.4	This CVE describes a missing authorization vulnerability in the MasterStudy LMS Pro WordPress plugin
9355	CVE-2025-66501	0.04%	10.9th	6.3	A stored cross-site scripting vulnerability in Foxit eSign's pdfonline.foxit.com allows attackers to
9356	CVE-2025-55704	0.04%	10.9th	5.3	A hidden functionality vulnerability in Brother MFP devices allows attackers to access device logs c
9357	CVE-2025-14193	0.04%	11th	6.3	This SQL injection vulnerability in Employee Profile Management System 1.0 allows attackers to manip
9358	CVE-2025-66502	0.04%	10.9th	6.3	A stored XSS vulnerability in Foxit PDF Online's Page Templates feature allows attackers to inject m
9359	CVE-2025-8295	0.04%	10.6th	6.4	The Employee Directory WordPress plugin up to version 4.5.1 has a stored XSS vulnerability in the 'n
9360	CVE-2025-42891	0.04%	10.9th	5.5	CVE-2025-42891 is a missing authorization vulnerability in SAP Enterprise Search for ABAP that allow
9361	CVE-2025-66519	0.04%	10.9th	6.3	A stored XSS vulnerability in Foxit PDF Online's Layer Import functionality allows attackers to inje
9362	CVE-2025-66520	0.04%	10.9th	6.3	A stored XSS vulnerability in Foxit PDF Editor cloud's Portfolio feature allows attackers to upload
9363	CVE-2026-24568	0.04%	10.8th	5.3	This CVE describes a missing authorization vulnerability in the WP Travel WordPress plugin that allo
9364	CVE-2025-12498	0.04%	10.9th	4.3	The EventPrime WordPress plugin allows authenticated users with Subscriber-level access or higher to
9365	CVE-2025-13171	0.04%	11th	6.3	This SQL injection vulnerability in ZZCMS 2023 allows remote attackers to execute arbitrary SQL comm
9366	CVE-2025-62293	0.04%	11th	5.4	SOPlanning versions before 1.55 have a broken access control vulnerability in the /status endpoint t
9367	CVE-2025-66522	0.04%	10.9th	6.3	A stored cross-site scripting vulnerability in Foxit PDF Editor Cloud allows attackers to inject mal
9368	CVE-2025-13172	0.04%	11th	6.3	This CVE describes a SQL injection vulnerability in CodeAstro Gym Management System 1.0 that allows
9369	CVE-2025-11747	0.04%	10.7th	6.4	The Colibri Page Builder WordPress plugin has a stored XSS vulnerability that allows authenticated a
9370	CVE-2025-64234	0.04%	11th	4.3	This CVE describes a missing authorization vulnerability in the Evergreen Content Poster WordPress p
9371	CVE-2025-61194	0.04%	10.9th	6.5	CVE-2025-61194 is a SQL injection vulnerability in daicuocms V1.3.13 that allows attackers to execut
9372	CVE-2026-24577	0.04%	10.8th	5.3	This CVE describes a Missing Authorization vulnerability in the Pie Register WordPress plugin that a
9373	CVE-2025-14203	0.04%	11th	6.3	This SQL injection vulnerability in code-projects Question Paper Generator allows attackers to manip
9374	CVE-2025-49907	0.04%	11th	4.3	This CVE describes a missing authorization vulnerability in the RealMag777 MDTF WordPress plugin tha
9375	CVE-2025-12372	0.04%	10.9th	4.3	The Permalinks Cascade WordPress plugin has a missing authorization vulnerability that allows authen
9376	CVE-2025-3227	0.04%	10.7th	4.3	This vulnerability allows authenticated Mattermost users without proper channel management permissio
9377	CVE-2026-24583	0.04%	10.8th	5.3	This CVE describes a missing authorization vulnerability in the SumUp Payment Gateway for WooCommerc
9378	CVE-2025-12304	0.04%	10.9th	4.3	This vulnerability allows attackers to bypass authorization checks in the TIME-SEA-PLUS software's o
9379	CVE-2023-53893	0.04%	10.6th	6.5	Ateme TITAN File 3.9.12.4 contains an authenticated server-side request forgery vulnerability in the
9380	CVE-2025-49920	0.04%	11th	5.4	This CVE describes a missing authorization vulnerability in the accessiBe WordPress plugin that allo
9381	CVE-2026-1537	0.04%	10.6th	5.3	This vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to access sens
9382	CVE-2025-11376	0.04%	10.8th	6.4	The Colibri Page Builder WordPress plugin has a stored cross-site scripting vulnerability in its 'co
9383	CVE-2025-12961	0.04%	10.9th	4.3	The Download Panel WordPress plugin has a missing capability check that allows authenticated users w
9384	CVE-2025-12962	0.04%	10.8th	6.4	The Local Syndication WordPress plugin has a Server-Side Request Forgery (SSRF) vulnerability that a
9385	CVE-2025-11587	0.04%	10.9th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to li
9386	CVE-2025-62881	0.04%	11th	4.3	This CVE describes a missing authorization vulnerability in WP-Lister Lite for eBay WordPress plugin
9387	CVE-2025-62882	0.04%	11th	4.3	This CVE describes a missing authorization vulnerability in the Seriously Simple Podcasting WordPres
9388	CVE-2025-54806	0.04%	10.9th	6.1	GROWI v4.2.7 and earlier contains a stored cross-site scripting vulnerability in the page alert func
9389	CVE-2025-62883	0.04%	11th	4.3	This CVE describes a Missing Authorization vulnerability in the Premmerce User Roles WordPress plugi
9390	CVE-2025-50926	0.04%	10.6th	6.5	This SQL injection vulnerability in Easy Hosting Control Panel allows attackers to manipulate databa
9391	CVE-2026-24366	0.04%	10.7th	5.3	This CVE describes a Missing Authorization vulnerability in YITH WooCommerce Request A Quote plugin
9392	CVE-2025-12109	0.04%	10.8th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
9393	CVE-2025-43495	0.04%	11th	5.4	This vulnerability allows malicious iOS/iPadOS apps to monitor keystrokes without user permission, p
9394	CVE-2025-68468	0.04%	10.9th	6.5	This vulnerability allows remote attackers to crash the Avahi daemon by sending malicious mDNS annou
9395	CVE-2025-12376	0.04%	11th	6.4	The Icon List Block WordPress plugin contains a Server-Side Request Forgery vulnerability that allow
9396	CVE-2025-12926	0.04%	11th	6.3	This SQL injection vulnerability in SourceCodester Farm Management System 1.0 allows attackers to ma
9397	CVE-2025-13705	0.04%	10.7th	6.4	The Custom Frames WordPress plugin has a stored XSS vulnerability in all versions up to 1.0.1. Authe
9398	CVE-2025-53112	0.04%	11th	4.3	CVE-2025-53112 is an improper access control vulnerability in GLPI that allows unauthorized users to
9399	CVE-2025-10476	0.04%	10.9th	4.3	The WP Fastest Cache WordPress plugin has an authorization bypass vulnerability that allows authenti
9400	CVE-2025-49937	0.04%	11th	4.3	This vulnerability allows attackers to bypass authorization controls in the Smash Balloon Social Pos

← Previous Page 188 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free