Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 9451 | CVE-2025-13960 |
|
10.7th | 6.4 | The GPXpress WordPress plugin up to version 1.3 contains a stored cross-site scripting vulnerability | |
| 9452 | CVE-2024-56787 |
|
10.8th | 5.5 | This CVE describes a race condition in the Linux kernel's i.MX8M SoC driver that causes a kernel war | |
| 9453 | CVE-2025-13961 |
|
10.7th | 6.4 | The Data Visualizer WordPress plugin has a stored XSS vulnerability in all versions up to 1.1. Authe | |
| 9454 | CVE-2025-14777 |
|
10.6th | 6.0 | This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Keycloak's admin API. | |
| 9455 | CVE-2025-61750 |
|
11th | 4.3 | This vulnerability in Oracle PeopleSoft Enterprise PeopleTools allows authenticated attackers with l | |
| 9456 | CVE-2025-55472 |
|
10.8th | 6.5 | This SQL injection vulnerability in Tirreno v0.9.5 allows attackers to manipulate database queries t | |
| 9457 | CVE-2025-63512 |
|
10.9th | 6.5 | This SQL injection vulnerability in Hospital Management System v4 allows attackers to manipulate dat | |
| 9458 | CVE-2025-54736 |
|
10.8th | 5.3 | The NordicMade Savoy WordPress theme exposes sensitive system information to unauthorized users, all | |
| 9459 | CVE-2020-19248 |
|
10.9th | 5.1 | This SQL injection vulnerability in PbootCMS 1.4.1 allows attackers to inject malicious SQL code thr | |
| 9460 | CVE-2025-11003 |
|
10.8th | 6.4 | The UiPress Lite WordPress plugin has an authorization vulnerability that allows authenticated users | |
| 9461 | CVE-2025-54551 |
|
10.7th | 4.3 | Synapse Mobility contains a privilege escalation vulnerability where authenticated users can manipul | |
| 9462 | CVE-2025-46336 |
|
11th | 4.2 | This vulnerability in Rack::Session allows session fixation attacks when using the Pool middleware. | |
| 9463 | CVE-2025-8618 |
|
10.6th | 6.4 | This stored XSS vulnerability in the WPC Smart Quick View for WooCommerce WordPress plugin allows au | |
| 9464 | CVE-2025-55710 |
|
10.7th | 4.3 | This vulnerability in TaxoPress WordPress plugin exposes sensitive embedded data through sent inform | |
| 9465 | CVE-2025-21126 |
|
10.6th | 5.5 | Adobe InDesign has an improper input validation vulnerability that allows attackers to cause denial- | |
| 9466 | CVE-2025-7058 |
|
10.7th | 6.4 | The Kingcabs WordPress theme has a stored XSS vulnerability in the 'progressbarLayout' parameter tha | |
| 9467 | CVE-2025-62751 |
|
10.9th | 4.3 | A missing authorization vulnerability in the Extend Themes Vireo WordPress theme allows attackers to | |
| 9468 | CVE-2025-11361 |
|
11th | 6.4 | The Gutenberg Essential Blocks WordPress plugin contains a Server-Side Request Forgery vulnerability | |
| 9469 | CVE-2025-7960 |
|
10.8th | 6.4 | The King Addons for Elementor WordPress plugin has a stored XSS vulnerability in its Pricing Slider, | |
| 9470 | CVE-2025-49539 |
|
10.8th | 4.5 | This XXE vulnerability in Adobe ColdFusion allows high-privileged attackers to bypass security restr | |
| 9471 | CVE-2025-1358 |
|
10.9th | 4.3 | This vulnerability allows attackers to perform cross-site request forgery (CSRF) attacks against Pix | |
| 9472 | CVE-2025-13234 |
|
11th | 6.3 | This CVE describes a SQL injection vulnerability in itsourcecode Inventory Management System 1.0. At | |
| 9473 | CVE-2025-13236 |
|
11th | 6.3 | This SQL injection vulnerability in itsourcecode Inventory Management System 1.0 allows attackers to | |
| 9474 | CVE-2025-61885 |
|
11th | 4.3 | This vulnerability allows authenticated attackers with low privileges to read sensitive data from Or | |
| 9475 | CVE-2025-8199 |
|
10.7th | 6.4 | The MarqueeAddons WordPress plugin has a stored XSS vulnerability in its Testimonial Marquee widget. | |
| 9476 | CVE-2025-69014 |
|
10.9th | 4.9 | This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Youzify WordPress plugi | |
| 9477 | CVE-2025-40669 |
|
10.6th | 6.5 | This vulnerability in TCMAN's GIM v11 allows unauthenticated attackers to modify user permissions vi | |
| 9478 | CVE-2025-14119 |
|
10.7th | 6.4 | This stored XSS vulnerability in the App Landing Template Blocks for WPBakery WordPress plugin allow | |
| 9479 | CVE-2025-8687 |
|
10.7th | 6.4 | The Enter Addons WordPress plugin has a stored XSS vulnerability in its Countdown and Image Comparis | |
| 9480 | CVE-2025-8779 |
|
10.7th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i | |
| 9481 | CVE-2025-13396 |
|
11th | 6.3 | CVE-2025-13396 is a SQL injection vulnerability in code-projects Courier Management System 1.0 that | |
| 9482 | CVE-2025-14980 |
|
10.9th | 6.5 | The BetterDocs WordPress plugin exposes sensitive information including OpenAI API keys to authentic | |
| 9483 | CVE-2025-11815 |
|
10.9th | 4.3 | The UiPress Lite WordPress plugin has an authorization vulnerability that allows authenticated users | |
| 9484 | CVE-2025-15019 |
|
10.8th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i | |
| 9485 | CVE-2025-52131 |
|
10.6th | 6.4 | CVE-2025-52131 is a cross-site scripting (XSS) vulnerability in the Mocca Calendar application for X | |
| 9486 | CVE-2025-13243 |
|
11th | 6.3 | This SQL injection vulnerability in code-projects Student Information System 2.0 allows attackers to | |
| 9487 | CVE-2025-12175 |
|
10.8th | 4.3 | The Events Calendar WordPress plugin versions up to 6.15.9 have an authorization vulnerability where | |
| 9488 | CVE-2025-52132 |
|
10.6th | 6.4 | This Cross-Site Scripting (XSS) vulnerability in Mocca Calendar for XWiki allows attackers to inject | |
| 9489 | CVE-2025-27442 |
|
10.9th | 4.6 | This cross-site scripting (XSS) vulnerability in Zoom Workplace Apps allows an unauthenticated attac | |
| 9490 | CVE-2025-52133 |
|
10.6th | 6.4 | This vulnerability allows cross-site scripting (XSS) attacks in Mocca Calendar for XWiki when import | |
| 9491 | CVE-2026-0563 |
|
10.8th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i | |
| 9492 | CVE-2025-9873 |
|
10.7th | 6.4 | The a3 Lazy Load WordPress plugin has a stored XSS vulnerability that allows authenticated attackers | |
| 9493 | CVE-2025-49919 |
|
10.9th | 5.8 | The WPCenter eRoom Zoom Meetings Webinar WordPress plugin (versions up to and including 1.5.6) conta | |
| 9494 | CVE-2025-62972 |
|
11th | 4.3 | This CVE describes a missing authorization vulnerability in the WebinarPress WordPress plugin (forme | |
| 9495 | CVE-2025-48361 |
|
10.8th | 5.3 | This vulnerability in Hesabfa Accounting WordPress plugin exposes sensitive data through log files. | |
| 9496 | CVE-2025-42882 |
|
11th | 4.3 | This vulnerability allows authenticated attackers with basic privileges in SAP NetWeaver Application | |
| 9497 | CVE-2025-12881 |
|
11th | 5.4 | This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to re | |
| 9498 | CVE-2025-12366 |
|
10.9th | 4.3 | This vulnerability allows authenticated WordPress users with Author-level permissions or higher to r | |
| 9499 | CVE-2025-44185 |
|
10.9th | 5.4 | This CSRF vulnerability in Best Employee Management System V1.0 allows attackers to trick authentica | |
| 9500 | CVE-2025-0426 |
|
10.9th | 6.2 | This vulnerability in Kubernetes allows unauthenticated attackers to cause Node Denial of Service by |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free