Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1551	CVE-2024-56246	0.18%	38.9th	6.5	This vulnerability allows attackers to inject malicious scripts into web pages generated by the Next
1552	CVE-2024-13372	0.18%	38.9th	5.3	This vulnerability allows unauthenticated attackers to download user resumes without authorization i
1553	CVE-2025-21104	0.18%	38.9th	4.3	Dell NetWorker Management Console versions prior to 19.11.0.4 and version 19.12 contain an open redi
1554	CVE-2025-30718	0.18%	38.9th	5.4	This vulnerability in Oracle E-Business Suite's Applications Framework allows authenticated attacker
1555	CVE-2025-8268	0.18%	38.9th	6.5	The AI Engine WordPress plugin up to version 2.9.5 lacks proper authentication checks in its REST AP
1556	CVE-2025-20370	0.18%	38.9th	4.9	This vulnerability allows authenticated Splunk users with the 'change_authentication' capability to
1557	CVE-2024-36510	0.17%	38.8th	5.3	This vulnerability allows unauthenticated attackers to enumerate valid user accounts on Fortinet pro
1558	CVE-2025-1402	0.17%	38.8th	5.3	This vulnerability in the Event Tickets and Registration WordPress plugin allows authenticated attac
1559	CVE-2025-2074	0.17%	38.7th	5.3	This SQL injection vulnerability in the Advanced Google reCAPTCHA WordPress plugin allows authentica
1560	CVE-2024-12650	0.17%	38.7th	5.4	This vulnerability allows low-privileged attackers to manipulate memory size requests, causing the a
1561	CVE-2025-1478	0.17%	38.7th	6.5	A denial-of-service vulnerability in GitLab CE/EE allows attackers to crash the service by exploitin
1562	CVE-2025-8097	0.17%	38.8th	5.3	The WoodMart WordPress theme has an input validation vulnerability that allows unauthenticated attac
1563	CVE-2025-11630	0.17%	38.7th	6.3	This CVE describes a path traversal vulnerability in RainyGao DocSys up to version 2.02.36. Attacker
1564	CVE-2025-14539	0.17%	38.7th	5.4	The Shortcode Ajax WordPress plugin allows unauthenticated attackers to execute arbitrary shortcodes
1565	CVE-2025-22221	0.17%	38.7th	5.2	VMware Aria Operations for Logs contains a stored cross-site scripting vulnerability where an authen
1566	CVE-2025-24353	0.17%	38.6th	5.0	This vulnerability in Directus allows users with typical permissions to specify arbitrary roles when
1567	CVE-2024-12615	0.17%	38.7th	6.5	The Passwords Manager WordPress plugin contains a SQL injection vulnerability that allows authentica
1568	CVE-2025-21374	0.17%	38.7th	5.5	This vulnerability in the Windows Client Side Caching (CSC) service allows an authenticated attacker
1569	CVE-2025-0335	0.17%	38.7th	6.3	This vulnerability allows attackers to upload arbitrary files without restrictions through the Chang
1570	CVE-2025-1517	0.17%	38.6th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
1571	CVE-2024-13428	0.17%	38.7th	5.3	This vulnerability allows unauthenticated attackers to delete arbitrary company logos in the WP Job
1572	CVE-2025-30884	0.17%	38.6th	4.7	This CVE describes an open redirect vulnerability in the Bit Integrations WordPress plugin that allo
1573	CVE-2025-30859	0.17%	38.6th	4.7	This CVE describes an open redirect vulnerability in the AliNext WordPress plugin that allows attack
1574	CVE-2025-30781	0.17%	38.6th	4.7	This vulnerability allows attackers to redirect users from legitimate WooCommerce order status pages
1575	CVE-2025-2706	0.17%	38.7th	6.3	This critical vulnerability in Digiwin ERP 5.0.1 allows remote attackers to upload arbitrary files v
1576	CVE-2025-27653	0.17%	38.6th	6.1	This vulnerability allows attackers to inject malicious scripts into the Vasion Print (formerly Prin
1577	CVE-2025-39599	0.17%	38.6th	4.7	This CVE describes an open redirect vulnerability in Webilia Inc.'s Listdom WordPress plugin that al
1578	CVE-2025-39597	0.17%	38.6th	4.7	This CVE describes an open redirect vulnerability in the Fast eBay Listings WordPress plugin that al
1579	CVE-2025-32694	0.17%	38.6th	4.7	This vulnerability allows attackers to redirect users from legitimate WordPress sites to malicious w
1580	CVE-2025-31871	0.17%	38.6th	4.7	This vulnerability allows attackers to redirect users from legitimate WordPress sites to malicious w
1581	CVE-2025-31821	0.17%	38.6th	4.7	This vulnerability allows attackers to redirect users from legitimate WordPress sites to malicious w
1582	CVE-2025-55303	0.17%	38.7th	6.1	This vulnerability in Astro web framework allows attackers to bypass third-party domain restrictions
1583	CVE-2025-0703	0.17%	38.5th	4.3	This CVE describes a path traversal vulnerability in JoeyBling bootplus that allows attackers to acc
1584	CVE-2025-24591	0.17%	38.6th	4.3	This CVE describes a missing authorization vulnerability in the NinjaTeam GDPR CCPA Compliance Suppo
1585	CVE-2025-21210	0.17%	38.6th	4.2	This Windows BitLocker vulnerability allows an authenticated attacker to access sensitive informatio
1586	CVE-2024-56236	0.17%	38.6th	4.3	This CVE describes a Missing Authorization vulnerability in the Hestia Nginx Cache WordPress plugin
1587	CVE-2023-47515	0.17%	38.6th	5.3	This CVE describes a Missing Authorization vulnerability in the Seers WordPress plugin that allows a
1588	CVE-2023-46637	0.17%	38.6th	5.3	This CVE describes a Missing Authorization vulnerability in the WordPress Generate Dummy Posts plugi
1589	CVE-2023-46083	0.17%	38.6th	5.3	This CVE describes a missing authorization vulnerability in Kali Forms WordPress plugin that allows
1590	CVE-2023-46073	0.17%	38.6th	5.3	This CVE describes a Missing Authorization vulnerability in the DX Delete Attached Media WordPress p
1591	CVE-2023-45766	0.17%	38.6th	5.3	This CVE describes a missing authorization vulnerability in the Poll Maker WordPress plugin that all
1592	CVE-2023-45061	0.17%	38.6th	5.3	This CVE describes a Missing Authorization vulnerability in the WP Job Openings WordPress plugin by
1593	CVE-2023-44258	0.17%	38.6th	5.3	This CVE describes a Missing Authorization vulnerability in Schema App Structured Data WordPress plu
1594	CVE-2023-51315	0.17%	38.5th	5.4	PHPJabbers Restaurant Booking System v3.0 contains multiple stored cross-site scripting (XSS) vulner
1595	CVE-2023-51312	0.17%	38.5th	5.4	PHPJabbers Restaurant Booking System v3.0 contains a reflected cross-site scripting vulnerability in
1596	CVE-2024-24911	0.17%	38.5th	5.3	This vulnerability causes the cpca process on Check Point Security Management/Domain Management Serv
1597	CVE-2024-41643	0.17%	38.6th	6.8	This vulnerability allows a physically proximate attacker to execute arbitrary code on Arris NVG443B
1598	CVE-2025-27676	0.17%	38.6th	6.1	This vulnerability allows cross-site scripting (XSS) attacks in the Reports module of Vasion Print (
1599	CVE-2025-32036	0.17%	38.6th	4.2	CVE-2025-32036 is a captcha bypass vulnerability in DNN CMS where the generated captcha images have
1600	CVE-2025-27205	0.17%	38.6th	5.4	Adobe Experience Manager Screens versions FP11.3 and earlier contain a stored cross-site scripting v

← Previous Page 32 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free