Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1701	CVE-2025-31886	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the Repuso Social Proof Testimonials and
1702	CVE-2025-31865	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the CartBoss SMS Abandoned Cart Recovery
1703	CVE-2025-31846	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the Theater for WordPress plugin that al
1704	CVE-2025-31831	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the AtomChat WordPress plugin that allow
1705	CVE-2025-31799	0.17%	37.9th	4.3	CVE-2025-31799 is a missing authorization vulnerability in the Publitio WordPress plugin that allows
1706	CVE-2025-31732	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the GB Gallery Slideshow WordPress plugi
1707	CVE-2025-7797	0.17%	38.1th	5.3	A null pointer dereference vulnerability in GPAC's DASH client allows remote attackers to cause deni
1708	CVE-2025-56426	0.17%	38th	6.5	A remote code execution vulnerability in WebKul Bagisto v2.3.6 allows attackers to execute arbitrary
1709	CVE-2025-43889	0.17%	37.9th	5.3	Dell PowerProtect Data Domain systems running vulnerable DD OS versions contain a path traversal vul
1710	CVE-2025-11227	0.17%	38th	6.5	The GiveWP WordPress plugin has an information disclosure vulnerability that allows unauthenticated
1711	CVE-2025-13972	0.17%	38th	4.9	The WatchTowerHQ WordPress plugin contains an arbitrary file read vulnerability that allows authenti
1712	CVE-2025-65814	0.17%	38th	6.5	CVE-2025-65814 is a directory traversal vulnerability in RHOPHI Analytics LLP Office App-Edit Word v
1713	CVE-2026-2082	0.17%	38th	4.7	This CVE describes an OS command injection vulnerability in D-Link DIR-823X routers. Attackers can r
1714	CVE-2023-23672	0.17%	37.8th	5.4	CVE-2023-23672 is a missing authorization vulnerability in the GiveWP WordPress plugin that allows a
1715	CVE-2022-45811	0.17%	37.8th	5.4	CVE-2022-45811 is a missing authorization vulnerability in the WordPress Post Teaser plugin that all
1716	CVE-2024-56257	0.17%	37.8th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in the CoolPlugins Coins MarketCap WordPress
1717	CVE-2024-56302	0.17%	37.8th	6.5	This stored cross-site scripting (XSS) vulnerability in the ConvertCalculator WordPress plugin allow
1718	CVE-2024-56263	0.17%	37.8th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the GS Shots for Dribbble WordPress plugi
1719	CVE-2024-56261	0.17%	37.8th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Project Showcase plugin allows
1720	CVE-2023-46080	0.17%	37.8th	4.3	This CVE describes a Missing Authorization vulnerability in the WordPress ApplyOnline plugin that al
1721	CVE-2025-1186	0.17%	37.9th	6.3	This critical vulnerability in XunRuiCMS allows remote attackers to execute arbitrary code through d
1722	CVE-2025-31697	0.17%	37.9th	6.1	This vulnerability allows attackers to inject malicious scripts into web pages generated by Drupal F
1723	CVE-2025-31695	0.17%	37.9th	6.1	This vulnerability allows attackers to inject malicious scripts into Drupal websites using the Link
1724	CVE-2025-31687	0.17%	37.9th	6.1	This vulnerability allows attackers to inject malicious scripts into web pages generated by Drupal s
1725	CVE-2025-30006	0.17%	37.9th	6.1	Xorcom CompletePBX administrative control panel contains a reflected cross-site scripting vulnerabil
1726	CVE-2024-55093	0.17%	37.9th	5.4	phpIPAM through version 1.7.3 contains a reflected Cross-Site Scripting (XSS) vulnerability in its i
1727	CVE-2025-3026	0.17%	37.9th	6.1	This vulnerability in EJBCA Enterprise 8.0 allows attackers to manipulate HTTP Host headers to redir
1728	CVE-2025-2864	0.17%	37.9th	6.1	CVE-2025-2864 is a reflected cross-site scripting (XSS) vulnerability in SaTECH BCU firmware version
1729	CVE-2025-27633	0.17%	37.9th	6.1	TRMTracker web application contains a reflected cross-site scripting (XSS) vulnerability that allows
1730	CVE-2024-13598	0.17%	37.9th	6.1	This CVE describes a reflected cross-site scripting (XSS) vulnerability in the Internet Starter modu
1731	CVE-2024-10090	0.17%	37.9th	6.1	CVE-2024-10090 is a reflected cross-site scripting (XSS) vulnerability in SoftCOM iKSORIS Internet S
1732	CVE-2024-10088	0.17%	37.9th	6.1	This CVE describes a reflected cross-site scripting (XSS) vulnerability in Internet Starter, a modul
1733	CVE-2025-29476	0.17%	37.8th	5.5	A buffer overflow vulnerability exists in the compress_chunk_fuzzer component of c-blosc2, a high-pe
1734	CVE-2025-3191	0.17%	37.9th	6.1	All versions of react-draft-wysiwyg are vulnerable to stored XSS via the Embedded button feature. At
1735	CVE-2025-2162	0.17%	37.7th	4.8	The MapPress Maps for WordPress plugin before version 2.94.10 contains a stored cross-site scripting
1736	CVE-2025-32388	0.17%	37.7th	5.4	This CVE describes a cross-site scripting (XSS) vulnerability in SvelteKit where unsanitized search
1737	CVE-2025-30729	0.17%	37.7th	5.5	This vulnerability in Oracle Communications Order and Service Management allows authenticated attack
1738	CVE-2024-13610	0.17%	37.7th	4.8	This vulnerability in the Simple Social Media Share Buttons WordPress plugin allows administrators t
1739	CVE-2025-12468	0.17%	37.6th	5.3	This vulnerability allows unauthenticated attackers to access all WooCommerce coupon codes, IDs, and
1740	CVE-2024-36599	0.17%	37.8th	6.1	A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 Life Insurance Management Syste
1741	CVE-2024-24445	0.17%	37.6th	6.5	OpenAirInterface CN5G AMF versions up to 2.0.0 contain a null pointer dereference vulnerability when
1742	CVE-2022-25773	0.17%	37.5th	4.3	CVE-2022-25773 is a path traversal vulnerability in Mautic's asset upload functionality that allows
1743	CVE-2025-3687	0.17%	37.5th	4.3	This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the Sticky Notes Handler com
1744	CVE-2025-4545	0.17%	37.5th	5.4	This vulnerability allows authenticated attackers to delete arbitrary files on CTCMS Content Managem
1745	CVE-2025-14242	0.17%	37.6th	6.5	This vulnerability in vsftpd allows a remote authenticated attacker to cause a denial of service (Do
1746	CVE-2024-57437	0.16%	37.5th	6.5	RuoYi v4.8.0 contains a SQL injection vulnerability in the orderby parameter at the /monitor/online/
1747	CVE-2024-38316	0.16%	37.4th	4.3	IBM Aspera Shares versions 1.9.0 through 1.10.0 PL6 have an email rate limiting vulnerability that a
1748	CVE-2025-31606	0.16%	37.4th	4.8	This CVE describes a Missing Authorization vulnerability in the SP Blog Designer WordPress plugin th
1749	CVE-2024-13650	0.16%	37.4th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
1750	CVE-2025-30964	0.16%	37.4th	5.4	This SSRF vulnerability in the Photography WordPress theme allows attackers to make the server send

← Previous Page 35 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free