Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1151	CVE-2025-3676	0.22%	44.9th	6.3	This critical SQL injection vulnerability in xxyopen Novel-Plus allows attackers to manipulate datab
1152	CVE-2025-30714	0.22%	44.8th	4.8	This vulnerability in Oracle MySQL Connector/Python allows low-privileged attackers with network acc
1153	CVE-2025-3470	0.22%	44.9th	4.9	This SQL injection vulnerability in the TS Poll WordPress plugin allows authenticated attackers with
1154	CVE-2025-32675	0.22%	44.8th	6.8	This Server-Side Request Forgery (SSRF) vulnerability in QuantumCloud SEO Help WordPress plugin allo
1155	CVE-2025-3438	0.22%	44.9th	6.5	The MStore API WordPress plugin allows unauthenticated attackers to register accounts with 'wcfm_ven
1156	CVE-2025-27631	0.22%	44.8th	6.5	CVE-2025-27631 is an LDAP injection vulnerability in the TRMTracker web application that allows atta
1157	CVE-2025-3104	0.22%	44.7th	5.3	The WP STAGING Pro WordPress Backup Plugin has an information disclosure vulnerability that allows u
1158	CVE-2023-42982	0.22%	44.6th	6.4	This vulnerability in macOS allows processing malicious files to cause denial-of-service or potentia
1159	CVE-2025-32460	0.22%	44.6th	4.0	This vulnerability is a heap-based buffer over-read in GraphicsMagick's JXL image decoder that occur
1160	CVE-2025-54090	0.22%	44.7th	6.3	A bug in Apache HTTP Server 2.4.64 causes all RewriteCond expression tests to evaluate as true, pote
1161	CVE-2025-46206	0.22%	44.6th	6.5	This vulnerability allows remote attackers to cause denial of service in Artifex mupdf by exploiting
1162	CVE-2025-12296	0.22%	44.7th	4.7	This CVE describes an OS command injection vulnerability in D-Link DAP-2695 firmware update handler
1163	CVE-2024-57175	0.22%	44.6th	5.4	A stored cross-site scripting (XSS) vulnerability in PHPGURUKUL Online Birth Certificate System v1.0
1164	CVE-2025-30291	0.22%	44.6th	5.5	This CVE describes an information exposure vulnerability in Adobe ColdFusion that allows low-privile
1165	CVE-2025-3074	0.22%	44.6th	5.4	This vulnerability allows attackers to spoof download UI elements in Google Chrome, tricking users i
1166	CVE-2025-3072	0.22%	44.6th	5.4	This vulnerability allows attackers to spoof UI elements in Chrome's Custom Tabs feature by tricking
1167	CVE-2025-46813	0.22%	44.5th	5.8	This CVE describes a data leak vulnerability in Discourse where unauthenticated users could view pri
1168	CVE-2025-2887	0.22%	44.5th	4.5	This vulnerability in the tough library allows clients to fetch target files from incorrect sources
1169	CVE-2025-2885	0.22%	44.5th	4.5	This vulnerability in the tough library allows attackers to supply arbitrary version numbers in root
1170	CVE-2025-42892	0.22%	44.5th	6.8	This CVE describes an OS command injection vulnerability in SAP Business Connector that allows authe
1171	CVE-2025-69601	0.22%	44.5th	6.5	A directory traversal vulnerability in 66biolinks v44.0.0 allows attackers to write files outside in
1172	CVE-2025-14463	0.22%	44.4th	5.3	The Payment Button for PayPal WordPress plugin has an authentication bypass vulnerability that allow
1173	CVE-2025-2562	0.22%	44.4th	5.4	This vulnerability in Devolutions Remote Desktop Manager allows authenticated users to use stored pa
1174	CVE-2025-21597	0.22%	44.4th	5.3	An unauthenticated, logically adjacent BGP peer can cause a denial of service by triggering a crash
1175	CVE-2025-5158	0.22%	44.4th	4.3	This CVE describes a path traversal vulnerability in H3C SecCenter SMP-E1114P02 that allows attacker
1176	CVE-2025-9146	0.22%	44.4th	6.6	A cryptographic vulnerability in Linksys E5600 routers allows remote attackers to potentially compro
1177	CVE-2025-34273	0.22%	44.4th	6.5	Nagios Log Server versions before 2024R2.0.3 have an authorization flaw that lets non-admin users de
1178	CVE-2025-23862	0.22%	44.2th	5.3	This vulnerability allows attackers to bypass authorization controls in the Contact Form 7 Anti Spam
1179	CVE-2025-21393	0.22%	44.3th	6.3	This CVE describes a cross-site scripting (XSS) vulnerability in Microsoft SharePoint Server that al
1180	CVE-2023-32240	0.22%	44.2th	5.4	This CVE describes a missing authorization vulnerability in the Xtemos WoodMart WordPress theme that
1181	CVE-2024-58113	0.22%	44.3th	5.3	This vulnerability involves improper resource management in memory management modules, potentially c
1182	CVE-2025-0278	0.22%	44.3th	4.3	HCL Traveler for Windows exposes internal file paths in error messages or debug logs, potentially re
1183	CVE-2025-56676	0.22%	44.3th	5.4	TitanSystems Zender v3.9.7 has a critical authentication bypass vulnerability where password reset t
1184	CVE-2025-31584	0.22%	44.2th	5.4	This CVE describes a Missing Authorization vulnerability in the Elfsight Testimonials Slider WordPre
1185	CVE-2025-31545	0.22%	44.2th	5.4	This CVE describes a Missing Authorization vulnerability in the WP Messiah Safe Ai Malware Protectio
1186	CVE-2025-30896	0.22%	44.2th	5.4	This CVE describes a Missing Authorization vulnerability in weDevs WP ERP WordPress plugin that allo
1187	CVE-2025-30809	0.22%	44.2th	5.4	A missing authorization vulnerability in the Shahjada Live Forms WordPress plugin allows attackers t
1188	CVE-2025-24737	0.22%	44.2th	6.5	This CVE describes a missing authorization vulnerability in WP Helper Premium plugin that allows att
1189	CVE-2025-39591	0.22%	44.2th	5.4	This CVE describes a missing authorization vulnerability in WP Shuffle WP Subscription Forms WordPre
1190	CVE-2025-39522	0.22%	44.2th	5.4	This CVE describes a Missing Authorization vulnerability in the WordPress Dynamic Post plugin that a
1191	CVE-2025-32216	0.22%	44.2th	6.4	A missing authorization vulnerability in Spider Elements – Addons for Elementor WordPress plugin a
1192	CVE-2025-32246	0.22%	44.2th	5.4	This CVE describes a missing authorization vulnerability in the Tim Nguyen 1-Click Backup & Restore
1193	CVE-2025-31794	0.22%	44.2th	5.4	This CVE describes a Missing Authorization vulnerability in the WR Price List Manager For Woocommerc
1194	CVE-2025-31746	0.22%	44.2th	6.4	This CVE describes a missing authorization vulnerability in the Think201 Clients WordPress plugin th
1195	CVE-2025-31878	0.22%	44.2th	5.4	This CVE describes a Missing Authorization vulnerability in the UPC/EAN/GTIN Code Generator WordPres
1196	CVE-2025-31867	0.22%	44.2th	5.4	This vulnerability allows attackers to bypass authorization controls in JoomSky JS Job Manager by ma
1197	CVE-2025-31854	0.22%	44.2th	4.3	This CVE describes a missing authorization vulnerability in the Simple Sticky Add To Cart For WooCom
1198	CVE-2025-31826	0.22%	44.2th	5.4	This CVE describes a Missing Authorization vulnerability in the Ni WooCommerce Cost Of Goods plugin
1199	CVE-2025-31816	0.22%	44.2th	5.4	This CVE describes a missing authorization vulnerability in the Mobile App Canvas WordPress plugin t
1200	CVE-2025-31802	0.22%	44.2th	5.4	A missing authorization vulnerability in Shiptimize for WooCommerce allows attackers to change plugi

← Previous Page 24 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free