Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1401	CVE-2024-13312	0.19%	41.1th	5.3	This CVE describes a Missing Authorization vulnerability in Drupal Open Social that allows forceful
1402	CVE-2024-53935	0.19%	41.1th	6.5	This vulnerability allows any Android application without permissions to place phone calls without u
1403	CVE-2023-51339	0.19%	41th	6.5	This vulnerability allows attackers to send excessive password reset emails to legitimate users by e
1404	CVE-2025-25280	0.19%	41.1th	5.3	A buffer overflow vulnerability in Century Systems' FutureNet AS series industrial routers and FA se
1405	CVE-2025-32371	0.19%	41th	4.3	CVE-2025-32371 is a content spoofing vulnerability in DNN (DotNetNuke) CMS where attackers can craft
1406	CVE-2025-2853	0.19%	41.1th	6.5	This vulnerability in GitLab allows authenticated users to trigger a denial of service condition due
1407	CVE-2025-11771	0.19%	41.1th	5.3	This vulnerability allows unauthenticated attackers to manipulate presale counters in WordPress site
1408	CVE-2025-15115	0.19%	41th	6.5	This authentication bypass vulnerability in Petlibro Smart Pet Feeder Platform allows unauthenticate
1409	CVE-2024-48893	0.19%	40.9th	6.8	This vulnerability allows authenticated attackers to inject malicious scripts into FortiSOAR playboo
1410	CVE-2024-6810	0.19%	41th	4.4	The Quiz Organizer WordPress plugin has a stored XSS vulnerability that allows authenticated adminis
1411	CVE-2025-25287	0.19%	41th	4.7	Lakeus MediaWiki skin versions 1.0.8 through 1.3.0 are vulnerable to stored cross-site scripting (XS
1412	CVE-2025-3533	0.19%	41th	4.3	This vulnerability allows attackers to inject malicious scripts via the 'Parent' parameter in YouDia
1413	CVE-2025-3304	0.19%	40.9th	6.3	This critical SQL injection vulnerability in Patient Record Management System 1.0 allows remote atta
1414	CVE-2025-62402	0.19%	40.9th	5.4	This vulnerability allows authenticated API users to execute arbitrary Dag code in the context of th
1415	CVE-2021-47724	0.19%	41th	6.5	STVS ProVision 5.9.10 contains an authenticated path traversal vulnerability in its archive download
1416	CVE-2024-38657	0.19%	40.8th	4.9	This vulnerability allows remote authenticated attackers with admin privileges to write arbitrary fi
1417	CVE-2024-57248	0.19%	40.8th	6.3	CVE-2024-57248 is a directory traversal vulnerability in Gleamtech FileVista 9.2.0.0 that allows att
1418	CVE-2025-0256	0.19%	40.8th	4.3	This vulnerability in HCL DevOps Deploy/Launch allows authenticated users to access sensitive inform
1419	CVE-2025-30485	0.19%	40.8th	6.2	A UNIX symbolic link following vulnerability in FutureNet NXR, VXR, and WXR series routers allows lo
1420	CVE-2023-51328	0.19%	40.8th	5.4	PHPJabbers Cleaning Business Software v1.0 contains stored cross-site scripting vulnerabilities in t
1421	CVE-2024-55488	0.19%	40.7th	6.5	A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows authenticated attack
1422	CVE-2025-2955	0.19%	40.7th	5.3	This vulnerability allows remote attackers to improperly access the IBMS configuration file handler
1423	CVE-2024-48246	0.19%	40.7th	5.4	Vehicle Management System 1.0 contains a stored cross-site scripting vulnerability in the booking.ph
1424	CVE-2025-24850	0.19%	40.6th	5.3	This vulnerability allows an attacker to export other users' plant information from affected systems
1425	CVE-2025-15455	0.19%	40.7th	6.5	This vulnerability in MiniCMS allows attackers to bypass authentication and delete pages remotely wi
1426	CVE-2025-31539	0.19%	40.6th	6.5	This CVE describes a Missing Authorization vulnerability in the Blocksera Cryptocurrency Widgets Pac
1427	CVE-2024-44192	0.19%	40.6th	5.5	This vulnerability allows malicious web content to cause unexpected process crashes in Apple's WebKi
1428	CVE-2025-1986	0.19%	40.6th	4.1	The Gutentor WordPress plugin before version 3.4.7 contains a SQL injection vulnerability due to ins
1429	CVE-2025-5509	0.19%	40.6th	6.3	This critical vulnerability in quequnlong shiyi-blog allows remote attackers to perform path travers
1430	CVE-2025-52862	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1431	CVE-2025-52859	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1432	CVE-2025-52857	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1433	CVE-2025-52854	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1434	CVE-2025-52853	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1435	CVE-2025-52432	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1436	CVE-2025-52428	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1437	CVE-2025-52424	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1438	CVE-2025-48729	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1439	CVE-2025-48727	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1440	CVE-2025-47214	0.19%	40.6th	4.9	A NULL pointer dereference vulnerability in QNAP operating systems allows remote attackers with admi
1441	CVE-2025-13007	0.19%	40.6th	6.1	This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress sites
1442	CVE-2025-21288	0.19%	40.5th	6.5	This vulnerability in Windows COM Server allows attackers to read sensitive information from memory
1443	CVE-2025-21272	0.19%	40.5th	6.5	This vulnerability in Windows COM Server allows attackers to read sensitive information from memory
1444	CVE-2023-47557	0.19%	40.4th	4.3	This CVE describes a missing authorization vulnerability in the WordPress Visitors Traffic Real Time
1445	CVE-2025-29993	0.19%	40.4th	5.3	PowerCMS versions before 6.6.1, 5.2.8, and 4.5.9 contain an HTTP header injection vulnerability (CWE
1446	CVE-2024-51322	0.19%	40.5th	5.4	This Cross-Site Scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows authenticated
1447	CVE-2024-51320	0.19%	40.5th	5.4	This CVE describes a Cross-Site Scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 2.4 that
1448	CVE-2025-3569	0.19%	40.4th	6.3	This critical vulnerability in JamesZBL/code-projects db-hospital-drug 1.0 allows remote attackers t
1449	CVE-2025-3412	0.19%	40.4th	6.3	This critical vulnerability in mymagicpower AIAS allows attackers to perform Server-Side Request For
1450	CVE-2025-59185	0.19%	40.4th	6.5	This vulnerability in Windows Core Shell allows attackers to manipulate file paths or names remotely

← Previous Page 29 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free