Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
9401	CVE-2025-25580	0.04%	10.7th	6.1	This SQL injection vulnerability in yimioa allows attackers to execute arbitrary SQL commands throug
9402	CVE-2025-13742	0.04%	10.9th	6.1	This vulnerability in pretix allows attackers to inject HTML/Markdown content into emails by using m
9403	CVE-2025-62393	0.04%	10.7th	4.3	This vulnerability allows unauthorized users to view limited course information they shouldn't have
9404	CVE-2025-6133	0.04%	10.8th	6.3	This critical SQL injection vulnerability in Projectworlds Life Insurance Management System 1.0 allo
9405	CVE-2025-25590	0.04%	10.7th	6.1	This SQL injection vulnerability in yimioa allows attackers to execute arbitrary SQL commands throug
9406	CVE-2026-2208	0.04%	10.9th	4.3	This CVE describes a missing authorization vulnerability in WeKan's Rules Handler component that all
9407	CVE-2025-11909	0.04%	11th	6.3	This CVE describes a SQL injection vulnerability in Shenzhen Ruiming Technology's Streamax Crocus sy
9408	CVE-2025-13057	0.04%	11th	6.3	Campcodes School Fees Payment Management System 1.0 contains a SQL injection vulnerability in the /a
9409	CVE-2025-8841	0.04%	10.9th	6.3	This vulnerability allows remote attackers to upload arbitrary files to zlt2000 microservices-platfo
9410	CVE-2025-6255	0.04%	10.6th	6.4	This stored XSS vulnerability in the Dynamic AJAX Product Filters for WooCommerce WordPress plugin a
9411	CVE-2025-13839	0.04%	10.7th	6.4	The LJUsers WordPress plugin has a stored cross-site scripting vulnerability that allows authenticat
9412	CVE-2025-52622	0.04%	10.9th	5.4	BigFix SaaS fails to include security headers in HTTP responses, weakening client-side protections.
9413	CVE-2025-11910	0.04%	11th	6.3	This CVE describes a SQL injection vulnerability in Shenzhen Ruiming Technology's Streamax Crocus sy
9414	CVE-2025-12650	0.04%	10.8th	6.4	The Simple Post Listing WordPress plugin has a stored XSS vulnerability in the 'class_name' paramete
9415	CVE-2025-11911	0.04%	11th	6.3	This SQL injection vulnerability in Shenzhen Ruiming Technology's Streamax Crocus system allows atta
9416	CVE-2025-63927	0.04%	10.6th	4.0	A heap-use-after-free vulnerability in airpig2011 IEC104 software allows attackers to cause program
9417	CVE-2025-11912	0.04%	11th	6.3	This CVE describes a SQL injection vulnerability in Shenzhen Ruiming Technology's Streamax Crocus sy
9418	CVE-2025-65000	0.04%	10.8th	5.3	This vulnerability exposes SSH private keys in the HTML source of Checkmk's remote alert handler rul
9419	CVE-2025-12433	0.04%	10.7th	4.3	This vulnerability in Chrome's V8 JavaScript engine allows attackers to perform out-of-bounds memory
9420	CVE-2025-14432	0.04%	10.7th	4.9	Microsoft Teams Admin Center may write sensitive data to log files when administrators make device c
9421	CVE-2025-7103	0.04%	10.8th	6.3	This critical Server-Side Request Forgery (SSRF) vulnerability in BoyunCMS allows attackers to make
9422	CVE-2024-44905	0.04%	10.7th	6.5	CVE-2024-44905 is a SQL injection vulnerability in go-pg/pg v10.13.0's append_value.go component tha
9423	CVE-2024-57942	0.04%	10.9th	5.5	A race condition in the Linux kernel's netfs subsystem causes a hang when writing to Ceph filesystem
9424	CVE-2025-13059	0.04%	11th	6.3	This vulnerability allows remote attackers to execute arbitrary SQL commands on SourceCodester Alumn
9425	CVE-2025-6911	0.04%	10.7th	6.3	This critical SQL injection vulnerability in PHPGurukul Student Record System 3.2 allows attackers t
9426	CVE-2025-12441	0.04%	10.7th	4.3	This vulnerability allows a remote attacker to read memory outside the intended buffer in Chrome's V
9427	CVE-2026-0858	0.04%	10.9th	6.1	This stored cross-site scripting (XSS) vulnerability in PlantUML allows attackers to inject maliciou
9428	CVE-2025-12885	0.04%	10.8th	6.4	This stored XSS vulnerability in the Embed Any Document WordPress plugin allows authenticated attack
9429	CVE-2025-21657	0.04%	10.9th	5.5	This CVE addresses a kernel warning triggered by improper lock usage in the Linux kernel's scheduler
9430	CVE-2025-13747	0.04%	10.8th	6.4	The NewStatPress WordPress plugin versions up to 1.4.3 contain a stored cross-site scripting vulnera
9431	CVE-2025-47886	0.04%	10.8th	4.3	A CSRF vulnerability in Jenkins Cadence vManager Plugin allows attackers to trick authenticated user
9432	CVE-2025-68949	0.04%	10.9th	5.3	This vulnerability allows attackers to bypass IP whitelist restrictions in n8n's Webhook node by usi
9433	CVE-2025-13840	0.04%	10.7th	6.4	The BUKAZU Search widget plugin for WordPress versions up to 3.3.2 contains a stored cross-site scri
9434	CVE-2025-21659	0.04%	10.9th	5.5	This Linux kernel vulnerability allows unauthorized access to NAPI (New API) instances across networ
9435	CVE-2026-22779	0.04%	10.9th	5.3	CVE-2026-22779 is a CRLF injection vulnerability in BlackSheep's HTTP Client implementation that all
9436	CVE-2025-13843	0.04%	10.7th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
9437	CVE-2025-13846	0.04%	10.7th	6.4	The Easy Map Creator WordPress plugin has a stored cross-site scripting vulnerability in all version
9438	CVE-2025-13850	0.04%	10.7th	6.4	The LS Google Map Router WordPress plugin has a stored XSS vulnerability in all versions up to 1.1.0
9439	CVE-2025-53932	0.04%	10.7th	6.1	A reflected cross-site scripting (XSS) vulnerability in WeGIA's cadastro_adotante.php endpoint allow
9440	CVE-2026-1553	0.04%	10.7th	4.8	This CVE describes an incorrect authorization vulnerability in Drupal Canvas that allows forceful br
9441	CVE-2026-1554	0.04%	10.8th	4.2	This XML Injection vulnerability in Drupal CAS Server allows attackers to manipulate XPath queries t
9442	CVE-2025-13884	0.04%	10.7th	6.4	The Hide Email Address WordPress plugin has a stored XSS vulnerability that allows authenticated att
9443	CVE-2025-11012	0.04%	10.8th	5.3	A stack-based buffer overflow vulnerability exists in BehaviorTree up to version 4.7.0, specifically
9444	CVE-2025-52022	0.04%	10.9th	5.3	This vulnerability allows unauthenticated remote attackers to trigger detailed error messages that d
9445	CVE-2025-13885	0.04%	10.7th	6.4	The Zenost Shortcodes WordPress plugin has a stored cross-site scripting vulnerability that allows a
9446	CVE-2025-13889	0.04%	10.7th	6.4	The Simple Nivo Slider WordPress plugin has a stored XSS vulnerability that allows authenticated att
9447	CVE-2025-53936	0.04%	10.7th	6.1	A reflected cross-site scripting (XSS) vulnerability in WeGIA web management software allows attacke
9448	CVE-2025-13904	0.04%	10.7th	6.4	The WPGancio WordPress plugin has a stored XSS vulnerability in its 'gancio-event' shortcode that al
9449	CVE-2024-56785	0.04%	10.8th	5.5	This CVE addresses a Device Tree Source (DTS) configuration issue in the Linux kernel for MIPS Loong
9450	CVE-2025-13906	0.04%	10.7th	6.4	The WP Flot WordPress plugin has a stored cross-site scripting vulnerability that allows authenticat

← Previous Page 189 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free