Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
2151	CVE-2025-31835	0.14%	34.7th	6.5	This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP P
2152	CVE-2025-31829	0.14%	34.7th	6.5	This DOM-based cross-site scripting vulnerability in the ShopCred WordPress plugin allows attackers
2153	CVE-2025-31823	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in WPoperation Elementor Addons allows attacker
2154	CVE-2025-31818	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in ContentBot AI Writer WordPress plugin allows
2155	CVE-2025-31812	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the BuddyPress Members Only WordPress plugin
2156	CVE-2025-31804	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Follow Us Badges plugin allows
2157	CVE-2025-31797	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the BoldGrid Sprout Clients WordPress plugin
2158	CVE-2025-31778	0.14%	34.7th	6.5	This Cross-site Scripting (XSS) vulnerability in the WordPress Donate Me plugin allows attackers to
2159	CVE-2025-31770	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the Content Manager Light WordPress plugin a
2160	CVE-2025-31767	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the Post Custom Templates Lite WordPress plu
2161	CVE-2025-31761	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the DEJAN Hypotext WordPress plugin allows a
2162	CVE-2025-31759	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the BooSpot Boo Recipes WordPress plugin all
2163	CVE-2025-31754	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the DobsonDev Shortcodes WordPress plugin al
2164	CVE-2025-31749	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the HMH Footer Builder For Elementor WordPre
2165	CVE-2025-31747	0.14%	34.7th	6.5	A DOM-based cross-site scripting (XSS) vulnerability in the WP Chrono WordPress plugin allows attack
2166	CVE-2025-31744	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the Lightweight and Responsive Youtube Embed
2167	CVE-2025-31740	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the aThemeArt News, Magazine and Blog Elemen
2168	CVE-2025-31737	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the dxladner Client Showcase WordPress plugi
2169	CVE-2025-31734	0.14%	34.7th	6.5	This DOM-based XSS vulnerability in the Simple Post Expiration WordPress plugin allows attackers to
2170	CVE-2025-31730	0.14%	34.7th	6.5	This stored cross-site scripting (XSS) vulnerability in the DigitalCourt Marketer Addons WordPress p
2171	CVE-2025-4341	0.14%	34.5th	6.3	This critical vulnerability in D-Link DIR-880L routers allows remote attackers to execute arbitrary
2172	CVE-2025-51501	0.14%	34.7th	6.1	This reflected XSS vulnerability in Microweber CMS 2.0 allows attackers to inject malicious JavaScri
2173	CVE-2026-21880	0.14%	34.5th	5.3	Kanboard versions 1.2.48 and below contain an LDAP injection vulnerability in the authentication mec
2174	CVE-2025-23216	0.14%	34.5th	6.8	Argo CD versions before v2.13.4, v2.12.10, and v2.11.13 expose Kubernetes Secret values in error mes
2175	CVE-2025-24618	0.14%	34.5th	4.3	This CVE describes a missing authorization vulnerability in ElementInvader Addons for Elementor Word
2176	CVE-2024-57760	0.14%	34.4th	6.5	This SQL injection vulnerability in JeeWMS allows attackers to execute arbitrary SQL commands throug
2177	CVE-2024-12472	0.14%	34.5th	5.3	The Post Duplicator WordPress plugin allows authenticated attackers with Contributor-level access or
2178	CVE-2024-13194	0.14%	34.4th	6.3	This CVE describes a critical SQL injection vulnerability in Sucms 1.0's admin_members.php file. Att
2179	CVE-2024-20151	0.14%	34.5th	6.7	CVE-2024-20151 is an out-of-bounds write vulnerability in MediaTek modem firmware that allows local
2180	CVE-2025-25505	0.14%	34.4th	6.5	A buffer overflow vulnerability in Tenda AC6 routers allows attackers to execute arbitrary code or c
2181	CVE-2025-1188	0.14%	34.4th	6.3	A critical SQL injection vulnerability exists in Codezips Gym Management System 1.0, specifically in
2182	CVE-2020-36085	0.14%	34.4th	6.3	This stored XSS vulnerability in Egavilan Media Resumes Management and Job Application Website 1.0 a
2183	CVE-2025-30914	0.14%	34.5th	4.4	This Server-Side Request Forgery (SSRF) vulnerability in XpeedStudio's Metform WordPress plugin allo
2184	CVE-2024-55466	0.14%	34.5th	6.5	This CVE describes an arbitrary file upload vulnerability in ThingsBoard's Image Gallery component t
2185	CVE-2025-5897	0.14%	34.5th	4.3	This vulnerability in vue-cli's PWA plugin involves inefficient regular expression complexity in the
2186	CVE-2025-33096	0.14%	34.4th	6.5	This vulnerability in IBM Engineering Requirements Management Doors Next allows authenticated users
2187	CVE-2025-0683	0.14%	34.2th	5.9	The Contec Health CMS8000 Patient Monitor transmits unencrypted patient data to a hard-coded public
2188	CVE-2025-0367	0.14%	34.3th	6.5	A vulnerable regular expression pattern in Splunk's SA-ldapsearch add-on versions 3.1.0 and lower co
2189	CVE-2024-11863	0.14%	34.2th	5.3	CVE-2024-11863 is a denial-of-service vulnerability in ARM SCP-Firmware where specially crafted SCMI
2190	CVE-2024-49589	0.14%	34.3th	6.5	Foundry Artifacts is vulnerable to a Denial of Service attack where an attacker can fill up disk spa
2191	CVE-2025-2622	0.14%	34.3th	6.3	A critical deserialization vulnerability in aizuda snail-job 1.4.0 allows remote attackers to execut
2192	CVE-2025-1802	0.14%	34.2th	6.4	This stored XSS vulnerability in the HT Mega WordPress plugin allows authenticated attackers with Co
2193	CVE-2025-2289	0.14%	34.2th	4.3	The Zegen Church WordPress theme has missing capability checks on AJAX endpoints, allowing authentic
2194	CVE-2024-42200	0.14%	34.2th	5.4	HCL BigFix Web Reports has a stored cross-site scripting vulnerability that allows attackers to inje
2195	CVE-2025-32427	0.14%	34.2th	5.4	This CVE describes a cross-site scripting (XSS) vulnerability in the Formie plugin for Craft CMS. Wh
2196	CVE-2025-3087	0.14%	34.3th	5.4	CVE-2025-3087 is a stored cross-site scripting (XSS) vulnerability in M-Files Web versions 25.1.1444
2197	CVE-2024-12718	0.14%	34.3th	5.3	This CVE describes a path traversal vulnerability in Python's tarfile module when using extraction f
2198	CVE-2025-11564	0.14%	34.2th	5.3	This vulnerability in Tutor LMS WordPress plugin allows unauthenticated attackers to bypass payment
2199	CVE-2025-11442	0.14%	34.3th	4.3	This CVE describes a cross-site request forgery (CSRF) vulnerability in JhumanJ OpnForm API endpoint
2200	CVE-2025-34288	0.14%	34.3th	6.7	This CVE describes a local privilege escalation vulnerability in Nagios XI where a maintenance scrip

← Previous Page 44 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free