Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
101	CVE-2025-36134	0.04%	12.8th	3.7	This vulnerability allows attackers to potentially steal sensitive session cookies in IBM Sterling B
102	CVE-2025-14201	0.04%	12.7th	2.4	This CVE describes a cross-site scripting (XSS) vulnerability in the Hotel-Management-services-using
103	CVE-2025-64299	0.04%	12.7th	2.7	LogStare Collector contains an information disclosure vulnerability where administrative users can a
104	CVE-2025-15108	0.04%	12.7th	3.7	This vulnerability involves the use of a hard-coded cryptographic key in PandaXGO PandaX's JWT Secre
105	CVE-2025-52639	0.04%	12.5th	3.5	HCL Connections has an information disclosure vulnerability where improper rendering of application
106	CVE-2025-15151	0.04%	12.7th	3.7	This vulnerability in TaleLin Lin-CMS allows attackers to manipulate username/password arguments in
107	CVE-2025-13324	0.04%	12.7th	3.7	This vulnerability allows attackers who obtain remote cluster invite tokens to authenticate as remot
108	CVE-2025-46676	0.04%	12.1th	2.7	Dell PowerProtect Data Domain systems running affected DD OS versions contain an information disclos
109	CVE-2025-52623	0.04%	12.3th	3.7	HCL AION 2.0 has a vulnerability where password fields don't disable autocomplete, potentially allow
110	CVE-2025-41436	0.04%	11.8th	3.1	Mattermost versions before 11.0 fail to properly enforce the 'Allow users to view archived channels'
111	CVE-2025-13870	0.04%	11.8th	3.1	This vulnerability in Mattermost allows authenticated users to access files and subscribe to blocks
112	CVE-2025-31962	0.04%	11.8th	2.0	This vulnerability allows authenticated attackers to maintain unauthorized access to protected API e
113	CVE-2025-15084	0.04%	11.8th	3.1	This vulnerability in youlaitech youlai-mall allows attackers to bypass access controls in the order
114	CVE-2025-15437	0.04%	12th	3.5	This CVE describes a cross-site scripting (XSS) vulnerability in LigeroSmart's Environment Variable
115	CVE-2025-36410	0.04%	11.7th	3.1	IBM ApplinX 11.1 has a client-side security enforcement vulnerability that allows authenticated user
116	CVE-2025-15372	0.04%	11.6th	2.4	This vulnerability allows remote attackers to inject malicious scripts into the Notice Handler compo
117	CVE-2025-24314	0.04%	11.6th	2.2	An improper access control vulnerability in Intel CIP software allows unprivileged software running
118	CVE-2025-14186	0.04%	11.5th	3.5	A cross-site scripting (XSS) vulnerability in Grandstream GXP1625 VoIP phones allows attackers to in
119	CVE-2025-42883	0.04%	11.7th	2.7	SAP NetWeaver Application Server for ABAP's Migration Workbench fails to scan uploaded files for mal
120	CVE-2025-14228	0.04%	11.5th	3.5	This CVE describes a cross-site scripting (XSS) vulnerability in the Local Directory Page component
121	CVE-2025-15188	0.04%	11.1th	2.4	This vulnerability allows attackers to inject malicious scripts into the Campcodes Complete Online B
122	CVE-2026-0824	0.04%	11.2th	3.5	A cross-site scripting (XSS) vulnerability exists in QuestDB UI up to version 1.11.9, specifically i
123	CVE-2026-0682	0.04%	11.2th	2.2	The Church Admin WordPress plugin is vulnerable to Server-Side Request Forgery (SSRF) in all version
124	CVE-2025-24862	0.04%	11.1th	2.0	This vulnerability in Intel CIP software allows an attacker with local access and special internal k
125	CVE-2025-20373	0.04%	11.1th	2.7	The Splunk Add-on for Palo Alto Networks versions below 2.0.2 exposes client secrets in plain text i
126	CVE-2025-12918	0.04%	11.2th	3.1	This vulnerability in yungifez Skuul School Management System allows attackers to manipulate resourc
127	CVE-2026-26013	0.04%	11.1th	3.7	LangChain versions before 1.2.11 contain a Server-Side Request Forgery (SSRF) vulnerability in the C
128	CVE-2025-14663	0.04%	11.1th	2.4	This vulnerability allows attackers to inject malicious scripts into the Student File Management Sys
129	CVE-2026-22919	0.04%	11.1th	3.8	This vulnerability allows attackers with administrative access to inject malicious scripts into the
130	CVE-2025-13795	0.04%	11.2th	2.4	This is a cross-site scripting (XSS) vulnerability in the CodingWithElias School Management System t
131	CVE-2025-13450	0.04%	10.7th	3.5	This vulnerability allows attackers to inject malicious scripts into the registration page of Source
132	CVE-2025-14194	0.04%	10.7th	3.5	This vulnerability allows attackers to inject malicious scripts into the Employee Profile Management
133	CVE-2025-54560	0.04%	10.6th	3.8	A Server-Side Request Forgery (SSRF) vulnerability in Desktop Alert PingAlert versions 6.1.0.11 to 6
134	CVE-2025-68940	0.04%	10.6th	3.1	This vulnerability allows users with insufficient permissions to delete branches after merging pull
135	CVE-2025-55251	0.04%	10.8th	3.1	HCL AION has an unrestricted file upload vulnerability that allows attackers to upload malicious fil
136	CVE-2025-15052	0.04%	10.7th	3.5	This stored cross-site scripting (XSS) vulnerability in code-projects Student Information System 1.0
137	CVE-2025-62780	0.04%	10.8th	3.5	This stored XSS vulnerability in changedetection.io allows attackers to inject malicious JavaScript
138	CVE-2025-13245	0.04%	10.7th	3.5	This vulnerability allows attackers to inject malicious scripts into the Student Information System
139	CVE-2025-13415	0.04%	10.4th	3.5	This vulnerability allows attackers to inject malicious scripts via SVG file uploads in EasyImages v
140	CVE-2025-14006	0.04%	10.4th	3.5	This is a cross-site scripting (XSS) vulnerability in XunRuiCMS up to version 4.7.1 that allows atta
141	CVE-2025-43533	0.04%	10.5th	3.5	This vulnerability involves memory corruption issues in Apple's operating systems that could allow a
142	CVE-2025-13178	0.04%	10.4th	3.5	This vulnerability allows attackers to inject malicious scripts into the first_name and last_name fi
143	CVE-2025-13180	0.04%	10.4th	3.5	This CVE describes a basic cross-site scripting (XSS) vulnerability in Bdtask/CodeCanyon Wholesale I
144	CVE-2025-35029	0.04%	10.6th	3.5	Medical Informatics Engineering Enterprise Health has a stored cross-site scripting (XSS) vulnerabil
145	CVE-2025-13758	0.04%	10.4th	3.5	Devolutions Server versions through 2025.2.20 and 2025.3.8 expose credentials in unintended requests
146	CVE-2025-12997	0.04%	10.5th	2.2	An Insecure Direct Object Reference vulnerability in Medtronic CareLink Network allows authenticated
147	CVE-2025-49300	0.04%	10.4th	2.7	This vulnerability in the Traveler Option Tree WordPress plugin exposes sensitive embedded data thro
148	CVE-2026-1705	0.04%	10.2th	2.4	This CVE describes a cross-site scripting (XSS) vulnerability in D-Link DSL-6641K routers. Attackers
149	CVE-2025-14221	0.04%	10.4th	3.5	This vulnerability allows attackers to inject malicious scripts into the First Name/Last Name fields
150	CVE-2026-24870	0.04%	10.3th	3.7	This CVE describes an information disclosure vulnerability in ixray-1.6-stcop software where sensiti

← Previous Page 3 of 9 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free