Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1301	CVE-2025-21284	0.2%	42.3th	5.5	This vulnerability in Windows Virtual Trusted Platform Module allows attackers to cause a denial of
1302	CVE-2024-12473	0.2%	42.3th	6.5	This SQL injection vulnerability in the AI Scribe WordPress plugin allows authenticated attackers wi
1303	CVE-2024-44866	0.2%	42.3th	6.8	A buffer overflow vulnerability in MuseScore Studio's GuitarPro file parser allows attackers to exec
1304	CVE-2025-3661	0.2%	42.3th	6.4	The SB Chart block plugin for WordPress has a stored cross-site scripting vulnerability that allows
1305	CVE-2025-31120	0.2%	42.3th	5.3	This vulnerability allows unauthenticated attackers to artificially inflate forum view counts in Nam
1306	CVE-2025-3106	0.2%	42.3th	6.4	The LA-Studio Element Kit for Elementor WordPress plugin has a stored XSS vulnerability in its Table
1307	CVE-2025-3615	0.2%	42.3th	6.4	The Fluent Forms WordPress plugin has a stored cross-site scripting (XSS) vulnerability that allows
1308	CVE-2025-2083	0.2%	42.3th	6.4	The Logo Carousel Gutenberg Block WordPress plugin has a stored XSS vulnerability in versions up to
1309	CVE-2025-32996	0.2%	42.3th	4.0	This vulnerability in http-proxy-middleware allows writeBody to be called twice due to a missing 'el
1310	CVE-2025-29208	0.2%	42.3th	6.5	CodeZips Gym Management System v1.0 contains a SQL injection vulnerability in the name parameter of
1311	CVE-2025-31257	0.2%	42.3th	4.7	This CVE describes a memory handling vulnerability in Apple's WebKit browser engine that could cause
1312	CVE-2025-6740	0.2%	42.3th	6.1	The Contact Form 7 Database Addon plugin for WordPress has a stored cross-site scripting vulnerabili
1313	CVE-2025-44010	0.2%	42.3th	6.5	A NULL pointer dereference vulnerability in Qsync Central allows authenticated remote attackers to c
1314	CVE-2025-44008	0.2%	42.3th	6.5	A NULL pointer dereference vulnerability in Qsync Central allows authenticated remote attackers to c
1315	CVE-2025-22219	0.2%	42.2th	6.8	VMware Aria Operations for Logs contains a stored cross-site scripting vulnerability that allows aut
1316	CVE-2025-23878	0.2%	42.1th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress Post-to-Post Links plugin allo
1317	CVE-2025-23854	0.2%	42.1th	5.9	This stored cross-site scripting (XSS) vulnerability in YesStreaming.com's Shoutcast and Icecast HTM
1318	CVE-2024-35275	0.2%	42.2th	6.6	This SQL injection vulnerability in Fortinet FortiAnalyzer and FortiManager allows attackers to exec
1319	CVE-2024-13191	0.2%	42.2th	6.3	This vulnerability allows remote attackers to upload arbitrary files without restrictions in ZeroWdd
1320	CVE-2024-12279	0.2%	42.1th	6.1	The WP Social AutoConnect WordPress plugin has a Cross-Site Request Forgery vulnerability that allow
1321	CVE-2022-37660	0.2%	42.2th	6.5	CVE-2022-37660 is a cryptographic vulnerability in hostapd's PKEX implementation where the PKEX code
1322	CVE-2025-2035	0.2%	42.2th	6.3	This critical vulnerability in s-a-zhd Ecommerce-Website-using-PHP 1.0 allows remote attackers to up
1323	CVE-2025-29722	0.2%	42.2th	6.3	A Cross-Site Request Forgery (CSRF) vulnerability in Commercify v1.0 allows attackers to trick authe
1324	CVE-2025-32791	0.2%	42.2th	4.3	This vulnerability in Backstage's permission plugin backend allows attackers to extract information
1325	CVE-2025-4901	0.2%	42.1th	4.3	This vulnerability in D-Link DI-7003GV2 routers allows attackers on the local network to access sens
1326	CVE-2025-43006	0.2%	42.2th	6.1	CVE-2025-43006 is a Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management
1327	CVE-2023-35394	0.2%	42.2th	4.6	This vulnerability allows attackers to inject malicious scripts into Azure HDInsight Jupyter Noteboo
1328	CVE-2025-25054	0.2%	42.1th	6.1	Movable Type contains a reflected cross-site scripting vulnerability in the user information edit pa
1329	CVE-2021-26105	0.2%	42.1th	6.8	This CVE describes a stack-based buffer overflow vulnerability in FortiSandbox's profile parser that
1330	CVE-2025-21199	0.2%	42th	6.7	This vulnerability in Azure Agent Installer allows authenticated attackers to escalate privileges on
1331	CVE-2025-39589	0.2%	42.1th	4.3	This vulnerability in Essential Addons for Elementor WordPress plugin exposes sensitive system infor
1332	CVE-2025-30802	0.2%	42.1th	4.3	The WordPress Our Team Members plugin versions up to 2.2 expose sensitive system information to unau
1333	CVE-2024-57708	0.2%	42th	5.7	This CVE describes a potential prototype pollution vulnerability in OneTrust SDK version 6.33.0 that
1334	CVE-2024-24443	0.2%	42th	6.5	An uninitialized pointer dereference vulnerability in OpenAirInterface CN5G AMF allows attackers to
1335	CVE-2024-57677	0.2%	42th	6.5	This vulnerability allows unauthenticated attackers to modify WAN service settings on D-Link DIR-816
1336	CVE-2025-1233	0.2%	42th	4.3	The Lafka WordPress theme plugin allows authenticated users with subscriber-level access or higher t
1337	CVE-2025-58693	0.2%	42th	6.5	This path traversal vulnerability in Fortinet FortiVoice allows privileged attackers to delete arbit
1338	CVE-2024-56199	0.2%	41.9th	5.2	This vulnerability allows attackers to inject malicious HTML content into the phpMyFAQ editor, disru
1339	CVE-2025-24910	0.2%	41.9th	4.9	This vulnerability allows attackers to perform XML External Entity (XXE) attacks against Hitachi Van
1340	CVE-2025-32373	0.2%	41.9th	6.5	CVE-2025-32373 is an authorization bypass vulnerability in DNN CMS where registered users can craft
1341	CVE-2025-31833	0.2%	41.8th	4.9	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the JobBoard Job List
1342	CVE-2025-49131	0.2%	41.9th	6.3	CVE-2025-49131 is a sandbox escape vulnerability in FastGPT's sandbox container that allows attacker
1343	CVE-2025-12002	0.2%	41.9th	5.9	The Feeds for YouTube Pro WordPress plugin has an arbitrary file read vulnerability that allows unau
1344	CVE-2023-45633	0.2%	41.8th	6.5	This CVE describes a Missing Authorization vulnerability in the IDX IMPress Listings WordPress plugi
1345	CVE-2023-46610	0.2%	41.7th	6.5	This CVE describes a Missing Authorization vulnerability in the Quill Forms WordPress plugin that al
1346	CVE-2025-22289	0.2%	41.7th	6.5	This CVE describes a Missing Authorization vulnerability in the WordPress plugin 'LTL Freight Quotes
1347	CVE-2025-30308	0.2%	41.7th	5.5	XMP Toolkit versions 2023.12 and earlier contain an out-of-bounds read vulnerability that could allo
1348	CVE-2025-30306	0.2%	41.7th	5.5	XMP Toolkit versions 2023.12 and earlier contain an out-of-bounds read vulnerability that could allo
1349	CVE-2025-41679	0.2%	41.8th	5.3	An unauthenticated remote attacker can exploit a buffer overflow vulnerability in the Conftool netwo
1350	CVE-2025-0104	0.2%	41.5th	6.1	A reflected cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedition allows attacke

← Previous Page 27 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free