Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1901	CVE-2025-12978	0.15%	36th	5.4	Fluent Bit's in_http, in_splunk, and in_elasticsearch input plugins have a tag validation flaw where
1902	CVE-2026-2218	0.15%	36th	6.3	This CVE describes a command injection vulnerability in D-Link DCS-933L IP cameras through the /setS
1903	CVE-2025-0696	0.15%	35.9th	5.3	CVE-2025-0696 is a NULL pointer dereference vulnerability in Cesanta Frozen JSON parsing library ver
1904	CVE-2024-33298	0.15%	35.9th	6.1	Microweber v2.0.9 contains a cross-site scripting (XSS) vulnerability in the backup creation functio
1905	CVE-2025-0235	0.15%	35.9th	5.3	This vulnerability allows attackers to execute arbitrary code or cause denial of service by exploiti
1906	CVE-2025-24607	0.15%	35.9th	5.8	This CVE describes a Missing Authorization vulnerability in the IdeaPush WordPress plugin that allow
1907	CVE-2025-0445	0.15%	35.9th	5.4	This vulnerability is a use-after-free memory corruption flaw in Chrome's V8 JavaScript engine that
1908	CVE-2024-9107	0.15%	35.9th	5.4	A stored cross-site scripting (XSS) vulnerability in the gaizhenbiao/chuanhuchatgpt repository allow
1909	CVE-2024-13901	0.15%	35.9th	4.4	This vulnerability allows authenticated attackers with administrator-level access to inject maliciou
1910	CVE-2025-0618	0.15%	36th	6.5	This vulnerability allows a malicious actor to cause a persistent denial of service in FireEye EDR a
1911	CVE-2025-3474	0.15%	35.9th	6.5	This CVE describes a missing authentication vulnerability in Drupal Panels that allows attackers to
1912	CVE-2024-6690	0.15%	35.9th	6.1	The wccp-pro WordPress plugin before version 15.3 contains an open redirect vulnerability via the re
1913	CVE-2023-6541	0.15%	36th	6.1	The Allow SVG WordPress plugin before version 1.2.0 fails to sanitize uploaded SVG files, allowing u
1914	CVE-2025-31239	0.15%	35.9th	4.3	A use-after-free vulnerability in Apple operating systems allows parsing malicious files to cause un
1915	CVE-2025-4329	0.15%	35.9th	4.3	This vulnerability in 74CMS allows attackers to perform path traversal attacks by manipulating the '
1916	CVE-2025-4779	0.15%	36th	6.1	This stored XSS vulnerability in lunary-ai/lunary allows unauthenticated attackers to inject malicio
1917	CVE-2025-30261	0.15%	36th	6.5	This vulnerability in Qsync Central allows authenticated remote attackers to perform resource exhaus
1918	CVE-2025-29900	0.15%	36th	6.5	This vulnerability in QNAP File Station 5 allows authenticated attackers to exhaust system resources
1919	CVE-2025-29898	0.15%	36th	6.5	An uncontrolled resource consumption vulnerability in Qsync Central allows authenticated remote atta
1920	CVE-2025-10472	0.15%	35.9th	5.3	A path traversal vulnerability in MoneyPrinterTurbo allows attackers to access arbitrary files on th
1921	CVE-2025-15106	0.15%	35.9th	6.3	CVE-2025-15106 is an improper authorization vulnerability in getmaxun maxun's authentication endpoin
1922	CVE-2025-63372	0.15%	35.9th	4.3	Articentgroup Zip Rar Extractor Tool 1.345.93.0 contains a directory traversal vulnerability in its
1923	CVE-2025-0662	0.15%	35.8th	4.9	CVE-2025-0662 is a kernel memory leak vulnerability in FreeBSD's ktrace facility that allows unprivi
1924	CVE-2025-22608	0.15%	35.7th	6.5	Coolify versions before 4.0.0-beta.361 have an authorization flaw where any authenticated user can r
1925	CVE-2025-24427	0.15%	35.8th	6.5	CVE-2025-24427 is an improper access control vulnerability in Adobe Commerce that allows low-privile
1926	CVE-2024-57004	0.15%	35.7th	6.1	This Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail allows authenticated users to upl
1927	CVE-2025-22066	0.15%	35.8th	5.5	This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's ASoC imx-card driv
1928	CVE-2025-3388	0.15%	35.7th	4.3	This vulnerability allows attackers to inject malicious scripts through the username parameter durin
1929	CVE-2025-3256	0.15%	35.9th	6.3	This vulnerability in admintwo 1.0 allows attackers to bypass access controls via the email paramete
1930	CVE-2025-28132	0.15%	35.8th	4.6	A session management vulnerability in Nagios Network Analyzer allows attackers to reuse session toke
1931	CVE-2025-2906	0.15%	35.8th	6.4	The Contempo Real Estate Core WordPress plugin has a stored XSS vulnerability that allows authentica
1932	CVE-2025-33004	0.15%	35.9th	6.5	This vulnerability in IBM Planning Analytics Local allows privileged users to delete files from dire
1933	CVE-2025-41677	0.15%	35.8th	4.9	This vulnerability allows a high-privileged remote attacker to cause denial of service by exhausting
1934	CVE-2025-47999	0.15%	35.7th	6.8	A missing synchronization vulnerability in Windows Hyper-V allows an authenticated attacker on an ad
1935	CVE-2025-55673	0.15%	35.8th	4.3	This vulnerability allows guest users in Apache Superset to access database schema information throu
1936	CVE-2025-59535	0.15%	35.8th	6.5	DNN CMS versions before 10.1.0 allow attackers to load arbitrary themes via query parameters, potent
1937	CVE-2025-59790	0.15%	35.8th	5.4	CVE-2025-59790 is an improper privilege management vulnerability in Apache Kvrocks that could allow
1938	CVE-2025-49088	0.15%	35.8th	5.9	This vulnerability in Pexip Infinity's OTJ service allows remote attackers to cause denial of servic
1939	CVE-2025-24628	0.15%	35.6th	5.3	This vulnerability allows attackers to bypass CAPTCHA verification in the BestWebSoft Google Captcha
1940	CVE-2025-26960	0.15%	35.6th	6.5	This CVE describes a Missing Authorization vulnerability in the Small Package Quotes – Unishippers
1941	CVE-2025-24567	0.15%	35.6th	6.5	This vulnerability in WP Mailster WordPress plugin exposes sensitive embedded data in sent emails. A
1942	CVE-2025-23766	0.15%	35.6th	6.5	This CVE describes a Missing Authorization vulnerability in the OPSI Israel Domestic Shipments WordP
1943	CVE-2025-22730	0.15%	35.6th	6.5	This CVE describes a missing authorization vulnerability in the Ksher WordPress payment plugin that
1944	CVE-2025-24697	0.15%	35.6th	6.5	This CVE describes a missing authorization vulnerability in the Realwebcare Image Gallery WordPress
1945	CVE-2025-24643	0.15%	35.6th	6.5	This CVE describes a Missing Authorization vulnerability in WPGuppy WordPress plugin that allows att
1946	CVE-2025-24639	0.15%	35.6th	6.5	This vulnerability in GREYS Korea for WooCommerce WordPress plugin exposes sensitive embedded data t
1947	CVE-2025-1508	0.15%	35.6th	5.3	The WP Crowdfunding WordPress plugin has an authorization vulnerability that allows authenticated us
1948	CVE-2025-0660	0.15%	35.6th	4.8	Concrete CMS versions 9.0.0 through 9.3.9 contain a stored cross-site scripting (XSS) vulnerability
1949	CVE-2025-30694	0.15%	35.6th	5.4	This vulnerability in Oracle Database's XML Database component allows authenticated attackers with n
1950	CVE-2025-32073	0.15%	35.7th	5.4	This CVE describes an improper input validation vulnerability in MediaWiki's HTML Tags extension tha

← Previous Page 39 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free