Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Flags	Summary
1451	CVE-2026-23946	0.19%	40.5th	6.8		This critical vulnerability allows authenticated staff users in Tendenci CMS to execute arbitrary co
1452	CVE-2024-6324	0.19%	40.3th	4.3		A denial-of-service vulnerability in GitLab allows attackers to create cyclic references between epi
1453	CVE-2024-38731	0.19%	40.3th	4.3		This CSRF vulnerability in the Marsian i-amaze WordPress theme allows attackers to trick authenticat
1454	CVE-2024-37237	0.19%	40.3th	4.3		This CSRF vulnerability in the FS Poster WordPress plugin allows attackers to trick authenticated ad
1455	CVE-2024-38778	0.19%	40.3th	4.3		A Cross-Site Request Forgery (CSRF) vulnerability in the WP Fast Total Search WordPress plugin allow
1456	CVE-2024-56251	0.19%	40.3th	4.3		This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Event Espresso 4 Decaf, a Wo
1457	CVE-2025-25192	0.19%	40.4th	6.5		CVE-2025-25192 allows low-privileged users in GLPI to enable debug mode, potentially exposing sensit
1458	CVE-2025-32360	0.19%	40.3th	4.2		This vulnerability in Zammad allows logged-in customers to view and manipulate shared article drafts
1459	CVE-2024-57681	0.19%	40.3th	5.3		An access control vulnerability in D-Link DIR-816 routers allows unauthenticated attackers to modify
1460	CVE-2025-22139	0.19%	40.1th	6.1		A reflected cross-site scripting (XSS) vulnerability exists in WeGIA's configuracao_geral.php endpoi
1461	CVE-2025-1166	0.19%	40.1th	6.3		CVE-2025-1166 is a critical unrestricted file upload vulnerability in SourceCodester Food Menu Manag
1462	CVE-2024-13403	0.19%	40.1th	6.4		This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
1463	CVE-2025-3608	0.19%	40.1th	6.5		A race condition in Firefox's nsHttpTransaction component could allow memory corruption, potentially
1464	CVE-2025-51401	0.19%	40.1th	5.4		A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to inje
1465	CVE-2025-51398	0.19%	40.1th	5.4		A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to inje
1466	CVE-2025-51396	0.19%	40.1th	5.4		A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to inje
1467	CVE-2025-54104	0.19%	40.1th	6.7		A type confusion vulnerability in Windows Defender Firewall Service allows authenticated attackers t
1468	CVE-2025-53810	0.19%	40.1th	6.7		This CVE describes a type confusion vulnerability in the Windows Defender Firewall Service that allo
1469	CVE-2024-49354	0.18%	40th	5.3		IBM Concert versions 1.0.0 through 1.0.2 contain an API vulnerability that allows attackers to extra
1470	CVE-2025-0225	0.18%	40.1th	4.3		This path traversal vulnerability in Tsinghua Unigroup Electronic Archives System allows attackers t
1471	CVE-2024-9230	0.18%	40th	5.9		The PowerPress Podcasting plugin for WordPress before version 11.9.18 has a stored cross-site script
1472	CVE-2025-54265	0.18%	40th	5.9		Adobe Commerce (Magento) versions 2.4.9-alpha2 through 2.4.4-p15 and earlier contain an incorrect au
1473	CVE-2025-21268	0.18%	40th	4.3		This vulnerability allows attackers to bypass the MapUrlToZone security feature in Microsoft Windows
1474	CVE-2024-12629	0.18%	40th	4.1		This CVE describes a prototype pollution vulnerability in Progress Telerik KendoReact components whe
1475	CVE-2025-3001	0.18%	39.9th	5.3		A critical memory corruption vulnerability in PyTorch's torch.lstm_cell function allows local attack
1476	CVE-2025-32795	0.18%	40th	6.5		This CVE describes an improper access control vulnerability in Dify, an open-source LLM app developm
1477	CVE-2025-27571	0.18%	40th	4.3		This vulnerability allows authenticated users to view metadata from archived channels even when the
1478	CVE-2025-48069	0.18%	39.9th	6.6		CVE-2025-48069 is a command injection vulnerability in ejson2env versions before 2.0.8 where insuffi
1479	CVE-2025-11254	0.18%	39.9th	4.3		This CSV injection vulnerability in the Contest Gallery WordPress plugin allows unauthenticated atta
1480	CVE-2025-48633	0.18%	39.9th	5.5	KEV	This vulnerability in Android's DevicePolicyManagerService allows an attacker to add a Device Owner
1481	CVE-2025-14206	0.18%	40th	6.5		This vulnerability in SourceCodester Online Student Clearance System 1.0 allows attackers to bypass
1482	CVE-2024-52612	0.18%	39.8th	6.8		SolarWinds Platform contains a reflected cross-site scripting vulnerability that allows authenticate
1483	CVE-2025-24278	0.18%	39.8th	5.5		A symlink validation vulnerability in macOS allows applications to bypass file system protections an
1484	CVE-2025-31679	0.18%	39.9th	6.1		This Cross-Site Scripting (XSS) vulnerability in Drupal's Ignition Error Pages module allows attacke
1485	CVE-2025-32379	0.18%	39.9th	5.0		This vulnerability in Koa.js allows cross-site scripting (XSS) attacks when untrusted user input is
1486	CVE-2025-30303	0.18%	39.8th	5.5		Adobe Framemaker versions 2020.8, 2022.6 and earlier contain an out-of-bounds read vulnerability tha
1487	CVE-2025-27202	0.18%	39.8th	5.5		Adobe Animate versions 24.0.7, 23.0.10 and earlier contain an out-of-bounds read vulnerability that
1488	CVE-2025-27186	0.18%	39.8th	5.5		Adobe After Effects versions 25.1, 24.6.4 and earlier contain an out-of-bounds read vulnerability th
1489	CVE-2025-27184	0.18%	39.8th	5.5		CVE-2025-27184 is an out-of-bounds read vulnerability in Adobe After Effects that could allow an att
1490	CVE-2025-5720	0.18%	39.9th	6.4		This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress websi
1491	CVE-2025-48631	0.18%	39.8th	6.5		This vulnerability in Android's LocalImageResolver component allows remote attackers to cause persis
1492	CVE-2024-7577	0.18%	39.6th	4.4		IBM InfoSphere Information Server 11.7 may expose sensitive user credentials in log files during new
1493	CVE-2024-55029	0.18%	39.7th	6.1		NASA Fprime v3.4.3 contains multiple cross-site scripting (XSS) vulnerabilities that allow attackers
1494	CVE-2025-2744	0.18%	39.6th	5.4		This critical vulnerability in ruoyi-vue-pro 2.4.1 allows attackers to perform path traversal attack
1495	CVE-2024-13895	0.18%	39.7th	4.3		The Code Snippets CPT WordPress plugin allows authenticated attackers with Subscriber-level access o
1496	CVE-2020-36844	0.18%	39.7th	6.1		This vulnerability allows reflected cross-site scripting (XSS) attacks in KnowBe4 Security Awareness
1497	CVE-2025-29015	0.18%	39.7th	6.1		Code Astro Internet Banking System 2.0.0 contains a stored cross-site scripting vulnerability in the
1498	CVE-2025-29710	0.18%	39.7th	6.1		SourceCodester Company Website CMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in
1499	CVE-2025-32230	0.18%	39.7th	4.3		This vulnerability allows attackers to inject malicious HTML/JavaScript into Tutor LMS web pages thr
1500	CVE-2025-3245	0.18%	39.7th	6.3		This critical SQL injection vulnerability in itsourcecode Library Management System 1.0 allows attac

← Previous Page 30 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free