Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
2001	CVE-2025-1168	0.15%	35.3th	6.3	CVE-2025-1168 is a critical SQL injection vulnerability in SourceCodester Contact Manager with Expor
2002	CVE-2025-20183	0.15%	35.1th	5.8	This vulnerability allows unauthenticated remote attackers to bypass the antivirus scanner on Cisco
2003	CVE-2025-0973	0.15%	35.2th	5.4	This critical vulnerability in CmsEasy 7.7.7.9 allows remote attackers to perform path traversal att
2004	CVE-2024-12336	0.15%	35.2th	6.5	This vulnerability in the WC Affiliate WordPress plugin allows authenticated attackers with Subscrib
2005	CVE-2025-1672	0.15%	35.2th	5.5	The Notibar WordPress plugin has a stored cross-site scripting vulnerability that allows authenticat
2006	CVE-2025-12849	0.15%	35.3th	5.3	The Contest Gallery WordPress plugin has an authorization bypass vulnerability that allows unauthent
2007	CVE-2025-12777	0.15%	35.3th	5.3	The YITH WooCommerce Wishlist plugin for WordPress has an authorization bypass vulnerability that al
2008	CVE-2025-13369	0.15%	35.1th	6.1	The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to reflected cross-si
2009	CVE-2025-21514	0.15%	35th	5.3	This vulnerability in Oracle JD Edwards EnterpriseOne Tools allows unauthenticated attackers with ne
2010	CVE-2025-0399	0.15%	35.1th	4.7	This vulnerability allows remote attackers to upload arbitrary files without restrictions in StarSea
2011	CVE-2025-23203	0.15%	35.1th	5.5	This vulnerability in Icinga Director allows authenticated users with API access to bypass object-le
2012	CVE-2022-43851	0.15%	35.1th	5.9	IBM Aspera Console versions 3.4.0 through 3.4.4 use weak cryptographic algorithms that could allow a
2013	CVE-2025-56450	0.15%	35th	6.5	Log2Space Subscriber Management Software 1.1 contains an unauthenticated SQL injection vulnerability
2014	CVE-2025-11814	0.15%	35.1th	6.4	This stored XSS vulnerability in the Ultimate Addons for WPBakery WordPress plugin allows unauthenti
2015	CVE-2025-0848	0.15%	34.9th	6.5	A critical stack-based buffer overflow vulnerability in Tenda A18 routers allows remote attackers to
2016	CVE-2023-46203	0.15%	35th	4.3	This CVE describes a Missing Authorization vulnerability in the Just Custom Fields WordPress plugin
2017	CVE-2023-45002	0.15%	35th	4.3	This CVE describes a missing authorization vulnerability in the weDevs WP User Frontend WordPress pl
2018	CVE-2024-6583	0.15%	34.9th	4.3	A path traversal vulnerability in stangirard/quivr allows attackers to upload files to arbitrary S3
2019	CVE-2025-21092	0.15%	34.8th	6.5	GMOD Apollo lacks proper access controls when updating user information, allowing attackers to escal
2020	CVE-2025-43857	0.15%	35th	6.5	This vulnerability in Ruby's Net::IMAP library allows a malicious or compromised IMAP server to caus
2021	CVE-2025-5016	0.15%	34.9th	4.7	The Relevanssi WordPress plugin has a stored XSS vulnerability in excerpt highlighting functionality
2022	CVE-2025-4143	0.15%	34.9th	6.1	This CVE describes an OAuth redirect URI validation vulnerability in the workers-oauth-provider libr
2023	CVE-2025-2939	0.15%	34.9th	5.6	The Ninja Tables WordPress plugin is vulnerable to PHP object injection via deserialization of untru
2024	CVE-2025-65502	0.15%	34.9th	4.3	A null pointer dereference vulnerability in Cesanta Mongoose's add_ca_certs() function allows remote
2025	CVE-2025-66169	0.15%	34.8th	5.3	This CVE describes a Cypher Injection vulnerability in Apache Camel's camel-neo4j component, allowin
2026	CVE-2024-55226	0.14%	34.7th	5.4	Vaultwarden v1.32.5 contains an authenticated reflected cross-site scripting (XSS) vulnerability in
2027	CVE-2024-37417	0.14%	34.7th	4.3	This CSRF vulnerability in the Coachify WordPress theme allows attackers to trick authenticated admi
2028	CVE-2024-8685	0.14%	34.8th	4.3	This path traversal vulnerability in Revolution Pi allows authenticated attackers to list directorie
2029	CVE-2024-54564	0.14%	34.7th	6.5	This vulnerability allows files received via AirDrop to bypass macOS/iOS quarantine flagging, which
2030	CVE-2025-2205	0.14%	34.8th	4.4	This stored XSS vulnerability in the GDPR Cookie Compliance WordPress plugin allows authenticated ad
2031	CVE-2025-2089	0.14%	34.8th	5.4	This vulnerability in StarSea99 starsea-mall allows attackers to bypass access controls and modify u
2032	CVE-2025-1534	0.14%	34.8th	5.4	This CVE describes a cross-site scripting (XSS) vulnerability in Payara Server, allowing attackers t
2033	CVE-2024-45516	0.14%	34.8th	6.1	A Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration's Classic UI allows attackers to
2034	CVE-2023-45584	0.14%	34.8th	6.6	A double free vulnerability in multiple Fortinet products allows privileged attackers to execute arb
2035	CVE-2025-60834	0.14%	34.8th	6.5	A deserialization vulnerability in uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code by
2036	CVE-2024-58336	0.14%	34.8th	5.3	Akuvox Smart Intercom S539 devices contain an unauthenticated vulnerability that allows remote attac
2037	CVE-2025-22980	0.14%	34.7th	6.7	A SQL injection vulnerability in SLiMS 9 Bulian 9.6.1 allows attackers to execute arbitrary SQL comm
2038	CVE-2025-0580	0.14%	34.6th	5.6	This CVE describes an authorization bypass vulnerability in Shiprocket Module 3 for OpenCart. Attack
2039	CVE-2025-0545	0.14%	34.5th	4.7	This Cross-Site Scripting (XSS) vulnerability in Tekrom Technology T-Soft E-Commerce allows attacker
2040	CVE-2025-1084	0.14%	34.6th	4.3	This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) attacks against Min
2041	CVE-2025-31624	0.14%	34.7th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the LABCAT Processing Projects WordPress
2042	CVE-2025-31621	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the byBrick Accordion WordPress plugin allow
2043	CVE-2025-31614	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Terms Before Download plugin a
2044	CVE-2025-31608	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the CookieHint WP WordPress plugin allows at
2045	CVE-2025-31604	0.14%	34.7th	6.5	This vulnerability allows attackers to inject malicious scripts into Cal.com web pages, which execut
2046	CVE-2025-31597	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the Ultimate Live Cricket WordPress Lite plu
2047	CVE-2025-31595	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Timeline Event History plugin
2048	CVE-2025-31592	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Send E-mail plugin allows atta
2049	CVE-2025-31590	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the WP Date and Time Shortcode WordPress plu
2050	CVE-2025-31586	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the GhozyLab Gallery – Photo Albums WordPr

← Previous Page 41 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free