Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1901	CVE-2026-0792	0.68%	71.1th	9.8	This vulnerability allows unauthenticated remote attackers to execute arbitrary code on ALGO 8180 IP
1902	CVE-2026-0791	0.68%	71.1th	9.8	This vulnerability allows remote attackers to execute arbitrary code on ALGO 8180 IP Audio Alerter d
1903	CVE-2026-23524	0.68%	71.1th	9.8	CVE-2026-23524 is a critical deserialization vulnerability in Laravel Reverb that allows remote code
1904	CVE-2024-53834	0.68%	71.1th	7.5	This vulnerability in Android's SMS utilities allows remote attackers to read memory beyond intended
1905	CVE-2025-21376	0.68%	71.1th	8.1	This vulnerability allows remote attackers to execute arbitrary code on Windows systems running vuln
1906	CVE-2025-49836	0.68%	71.1th	9.8	This CVE describes a command injection vulnerability in GPT-SoVITS-WebUI that allows attackers to ex
1907	CVE-2025-49834	0.68%	71.1th	9.8	This CVE describes a command injection vulnerability in GPT-SoVITS-WebUI that allows attackers to ex
1908	CVE-2023-36419	0.68%	71.1th	8.8	This vulnerability in Azure HDInsight's Apache Oozie workflow scheduler allows attackers to perform
1909	CVE-2025-0390	0.68%	71.1th	5.3	This critical path traversal vulnerability in Jeewms allows attackers to access arbitrary files on t
1910	CVE-2025-12945	0.68%	71.1th	7.2	This vulnerability allows authenticated administrators on NETGEAR Nighthawk R7000P routers to execut
1911	CVE-2025-25200	0.68%	71th	7.5	Koa middleware for Node.js versions prior to 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 contain a regu
1912	CVE-2024-10636	0.68%	71th	6.1	This vulnerability allows unauthenticated attackers to inject malicious scripts via the 'content' pa
1913	CVE-2024-20153	0.68%	71th	7.5	This vulnerability allows attackers to spoof Wi-Fi access point SSIDs, tricking client devices into
1914	CVE-2024-12339	0.68%	71th	6.1	The Digihood HTML Sitemap WordPress plugin contains a reflected cross-site scripting vulnerability i
1915	CVE-2024-11376	0.68%	71th	6.1	This vulnerability allows unauthenticated attackers to perform reflected cross-site scripting (XSS)
1916	CVE-2025-25246	0.68%	71th	8.1	This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected NET
1917	CVE-2024-13497	0.68%	71th	7.2	The Tripetto WordPress plugin (versions up to 8.0.9) has a stored XSS vulnerability in attachment up
1918	CVE-2025-1561	0.68%	71th	7.2	This vulnerability allows unauthenticated attackers to inject malicious JavaScript into WordPress pa
1919	CVE-2024-13827	0.68%	71th	6.1	This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress pages
1920	CVE-2024-44373	0.68%	71th	9.8	CVE-2024-44373 is a critical path traversal vulnerability in AllSky software that allows unauthentic
1921	CVE-2025-3237	0.67%	70.9th	5.3	This vulnerability in Tenda FH1202 routers allows attackers to bypass access controls via the /gofor
1922	CVE-2024-12919	0.67%	70.9th	9.8	This vulnerability allows unauthenticated attackers to bypass authentication in the Paid Membership
1923	CVE-2025-3445	0.67%	70.9th	8.1	A path traversal vulnerability in mholt/archiver Go library allows attackers to create or overwrite
1924	CVE-2025-30014	0.67%	70.9th	7.7	SAP Capital Yield Tax Management contains a directory traversal vulnerability (CWE-35) that allows a
1925	CVE-2025-34506	0.67%	70.9th	8.8	This vulnerability allows authenticated administrators in WBCE CMS to upload malicious ZIP modules c
1926	CVE-2024-57684	0.67%	70.9th	9.8	This vulnerability allows unauthenticated attackers to remotely configure the DMZ (Demilitarized Zon
1927	CVE-2025-7721	0.67%	70.8th	9.8	This vulnerability allows unauthenticated attackers to perform Local File Inclusion (LFI) in the Joo
1928	CVE-2025-3155	0.67%	70.8th	7.4	CVE-2025-3155 is a vulnerability in Yelp (the GNOME help application) that allows malicious help doc
1929	CVE-2024-56366	0.67%	70.8th	5.4	PhpSpreadsheet versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a reflected cross-site scri
1930	CVE-2024-13182	0.67%	70.8th	9.8	The WP Directorybox Manager WordPress plugin has an authentication bypass vulnerability that allows
1931	CVE-2024-57451	0.67%	70.8th	7.5	ChestnutCMS versions 1.5.0 and earlier contain a directory traversal vulnerability in the FileContro
1932	CVE-2025-1515	0.67%	70.8th	9.8	The WP Real Estate Manager WordPress plugin has an authentication bypass vulnerability that allows u
1933	CVE-2025-4803	0.67%	70.8th	7.2	This vulnerability allows authenticated WordPress administrators to perform PHP object injection via
1934	CVE-2024-11187	0.67%	70.8th	7.5	This CVE describes a resource exhaustion vulnerability in BIND DNS servers where specially crafted z
1935	CVE-2025-23359	0.67%	70.8th	8.3	CVE-2025-23359 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability in NVIDIA Container Toolkit for
1936	CVE-2025-28236	0.67%	70.8th	9.8	This vulnerability allows remote attackers to execute arbitrary code on Nautel VX Series transmitter
1937	CVE-2025-25053	0.67%	70.8th	8.8	This CVE describes an OS command injection vulnerability in the WEB UI setting page of Wi-Fi AP UNIT
1938	CVE-2025-6895	0.67%	70.8th	9.8	The Melapress Login Security WordPress plugin versions 2.1.0 to 2.1.1 contain an authentication bypa
1939	CVE-2025-67684	0.67%	70.8th	7.2	Quick.Cart e-commerce software contains a Local File Inclusion and Path Traversal vulnerability in i
1940	CVE-2024-13562	0.67%	70.7th	7.5	The Import WP plugin for WordPress exposes sensitive data stored in the uploads directory to unauthe
1941	CVE-2024-13434	0.67%	70.7th	6.1	The WP Inventory Manager WordPress plugin up to version 2.3.2 contains a reflected cross-site script
1942	CVE-2024-56248	0.67%	70.7th	4.9	This path traversal vulnerability in the WPMasterToolKit WordPress plugin allows attackers to downlo
1943	CVE-2025-3917	0.67%	70.7th	9.8	This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites usi
1944	CVE-2025-24366	0.66%	70.7th	7.5	This vulnerability allows authenticated SFTPGo users to exploit unsanitized rsync command arguments
1945	CVE-2025-57432	0.66%	70.7th	9.8	Blackmagic Web Presenter version 3.3 exposes an unauthenticated Telnet service on port 9977, allowin
1946	CVE-2025-15467	0.66%	70.7th	9.8	This vulnerability allows attackers to trigger a stack buffer overflow by sending maliciously crafte
1947	CVE-2025-2484	0.66%	70.7th	6.1	The Multi Video Box WordPress plugin has a reflected cross-site scripting vulnerability in versions
1948	CVE-2025-2164	0.66%	70.7th	6.1	The pixelstats WordPress plugin contains a reflected cross-site scripting vulnerability in all versi
1949	CVE-2025-2166	0.66%	70.7th	6.1	This vulnerability allows unauthenticated attackers to execute reflected cross-site scripting (XSS)
1950	CVE-2024-13413	0.66%	70.7th	6.1	The ProductDyno WordPress plugin has a reflected cross-site scripting (XSS) vulnerability in all ver

← Previous Page 39 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free