Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
2451	CVE-2025-2132	0.13%	32th	4.7	This critical SQL injection vulnerability in ftcms 2.1 allows remote attackers to execute arbitrary
2452	CVE-2025-2112	0.13%	32th	6.3	This is a critical SQL injection vulnerability in the user-xiangpeng yaoqishan software that allows
2453	CVE-2024-53692	0.13%	32.1th	4.7	A command injection vulnerability in QNAP operating systems allows remote attackers with administrat
2454	CVE-2025-1958	0.13%	32th	6.3	This critical SQL injection vulnerability in aaluoxiang oa_system 1.0 allows remote attackers to exe
2455	CVE-2025-1843	0.13%	32th	6.3	This critical SQL injection vulnerability in Mini-Tmall allows remote attackers to execute arbitrary
2456	CVE-2025-1831	0.13%	32th	6.3	This critical SQL injection vulnerability in zj1983 zz software allows remote attackers to execute a
2457	CVE-2025-1821	0.13%	32th	6.3	This CVE describes a critical SQL injection vulnerability in the zj1983 zz software that allows atta
2458	CVE-2025-1820	0.13%	32th	6.3	This critical SQL injection vulnerability in zj1983 zz software allows remote attackers to execute a
2459	CVE-2024-41753	0.13%	32th	6.1	This cross-site scripting vulnerability in IBM Cloud Pak for Business Automation allows unauthentica
2460	CVE-2024-37656	0.13%	32th	6.1	An open redirect vulnerability in gnuboard5 v5.5.16 allows attackers to redirect users to malicious
2461	CVE-2025-15391	0.13%	32th	6.3	This CVE describes a remote command injection vulnerability in D-Link DIR-806A routers via the SSDP
2462	CVE-2025-15357	0.13%	32th	6.3	This CVE describes a command injection vulnerability in D-Link DI-7400G+ routers that allows remote
2463	CVE-2025-67642	0.13%	32.1th	4.3	The Jenkins HashiCorp Vault Plugin vulnerability allows attackers with Item/Configure permission to
2464	CVE-2025-0754	0.13%	31.9th	4.3	This vulnerability in OpenShift Service Mesh allows attackers to inject malicious payloads into HTTP
2465	CVE-2024-35111	0.13%	32th	4.3	IBM Control Center versions 6.2.1 and 6.3.1 expose detailed technical error messages to remote attac
2466	CVE-2025-26871	0.13%	31.9th	4.3	This CVE describes a Missing Authorization vulnerability in WPDeveloper's Essential Blocks for Guten
2467	CVE-2025-3548	0.13%	31.9th	5.3	This critical vulnerability in Open Asset Import Library (Assimp) allows heap-based buffer overflow
2468	CVE-2025-4735	0.13%	31.9th	6.3	CVE-2025-4735 is a critical unrestricted file upload vulnerability in Campcodes Sales and Inventory
2469	CVE-2025-29156	0.13%	31.9th	6.1	A cross-site scripting (XSS) vulnerability in petstore v1.0.7 allows remote attackers to inject mali
2470	CVE-2025-9273	0.13%	32th	4.3	CVE-2025-9273 is an information disclosure vulnerability in CData API Server's MySQL connector that
2471	CVE-2025-10750	0.13%	31.9th	5.3	The PowerBI Embed Reports WordPress plugin up to version 1.2.0 contains an unauthenticated informati
2472	CVE-2025-68268	0.13%	32th	5.4	This vulnerability allows attackers to inject malicious scripts into the JetBrains TeamCity storage
2473	CVE-2025-68166	0.13%	32th	5.4	This DOM-based cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to in
2474	CVE-2025-68165	0.13%	32th	5.4	JetBrains TeamCity versions before 2025.11 contain a reflected cross-site scripting (XSS) vulnerabil
2475	CVE-2026-20080	0.13%	31.9th	5.3	This vulnerability in Cisco IEC6400 Wireless Backhaul Edge Compute Software allows unauthenticated r
2476	CVE-2025-24689	0.12%	31.8th	5.9	The Import and export users and customers WordPress plugin versions up to 1.27.12 contains a vulnera
2477	CVE-2024-11874	0.12%	31.8th	6.4	The Grid Accordion Lite WordPress plugin has a stored XSS vulnerability in all versions up to 1.5.1.
2478	CVE-2024-11899	0.12%	31.8th	6.4	The Slider Pro Lite WordPress plugin has a stored cross-site scripting (XSS) vulnerability in all ve
2479	CVE-2024-41768	0.12%	31.8th	6.5	This vulnerability in IBM Engineering Lifecycle Optimization - Publishing allows remote attackers to
2480	CVE-2023-47180	0.12%	31.8th	6.5	CVE-2023-47180 is a missing authorization vulnerability in the Finale Lite WordPress plugin that all
2481	CVE-2023-46644	0.12%	31.8th	6.5	This CVE describes a Missing Authorization vulnerability in the WP CTA PRO WordPress plugin that all
2482	CVE-2024-53310	0.12%	31.8th	5.5	A buffer overflow vulnerability in Effectmatrix Total Video Converter Command Line (TVCC) version 2.
2483	CVE-2024-8101	0.12%	31.8th	6.1	A stored cross-site scripting (XSS) vulnerability in aimhubio/aim version 3.23.0 allows attackers to
2484	CVE-2025-22111	0.12%	31.8th	5.5	A race condition vulnerability in the Linux kernel's bridge networking subsystem allows concurrent b
2485	CVE-2025-32275	0.12%	31.8th	4.3	This vulnerability allows attackers to bypass authentication in the Ays Pro Survey Maker WordPress p
2486	CVE-2025-51539	0.12%	31.7th	5.3	EzGED3 3.5.0 has an unauthenticated arbitrary file read vulnerability that allows remote attackers t
2487	CVE-2025-58759	0.12%	31.7th	5.1	TinyEnv versions 1.0.9-1.0.10 fail to properly strip inline comments from .env file values, causing
2488	CVE-2025-11407	0.12%	31.8th	6.3	This CVE describes an OS command injection vulnerability in D-Link DI-7001 MINI routers through the
2489	CVE-2025-13318	0.12%	31.8th	5.3	The Booking Calendar Contact Form WordPress plugin has a missing authorization vulnerability that al
2490	CVE-2025-12349	0.12%	31.8th	5.3	The Icegram Express WordPress plugin has an authorization bypass vulnerability that allows unauthent
2491	CVE-2025-60722	0.12%	31.8th	6.5	A path traversal vulnerability in OneDrive for Android allows authenticated attackers to access file
2492	CVE-2025-66910	0.12%	31.8th	6.0	Turms Server versions v0.10.0-SNAPSHOT and earlier store administrator passwords in plaintext memory
2493	CVE-2025-65828	0.12%	31.8th	6.5	An unauthenticated attacker within Bluetooth range can send BLE commands to Meatmeet devices, causin
2494	CVE-2025-24606	0.12%	31.6th	6.4	This CVE describes a missing authorization vulnerability in the Sprout Invoices WordPress plugin tha
2495	CVE-2025-23849	0.12%	31.6th	5.4	CVE-2025-23849 is a missing authorization vulnerability in the PAPERCITE WordPress plugin that allow
2496	CVE-2025-24571	0.12%	31.6th	5.4	This CVE describes a missing authorization vulnerability in the WP Fast Total Search WordPress plugi
2497	CVE-2024-13176	0.12%	31.7th	4.1	A timing side-channel vulnerability in ECDSA signature computations could allow an attacker to recov
2498	CVE-2025-23916	0.12%	31.6th	5.4	This CVE describes a Missing Authorization vulnerability in the WP Meetup WordPress plugin that allo
2499	CVE-2025-22541	0.12%	31.6th	5.4	This CVE describes a Missing Authorization vulnerability in the WP Delete Post Copies WordPress plug
2500	CVE-2025-22534	0.12%	31.6th	5.4	This CVE describes a missing authorization vulnerability in the Ella van Durpe Slides & Presentation

← Previous Page 50 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free