Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 2651 | CVE-2025-47979 |
|
30.7th | 5.5 | This vulnerability allows sensitive information to be written to log files in Windows Failover Clust | |
| 2652 | CVE-2026-2061 |
|
30.7th | 4.7 | This CVE describes an OS command injection vulnerability in D-Link DIR-823X routers. Attackers can r | |
| 2653 | CVE-2026-23886 |
|
30.6th | 5.3 | A denial-of-service vulnerability in Swift W3C TraceContext and Swift OTel allows remote attackers t | |
| 2654 | CVE-2025-23084 |
|
30.4th | 5.5 | This Node.js vulnerability on Windows incorrectly handles drive names in path.join(), treating relat | |
| 2655 | CVE-2025-24662 |
|
30.5th | 5.3 | This CVE describes a missing authorization vulnerability in LearnDash LMS WordPress plugin that allo | |
| 2656 | CVE-2025-24705 |
|
30.5th | 5.3 | This vulnerability allows unauthorized users to access sensitive data in WooCommerce Quick View plug | |
| 2657 | CVE-2024-13302 |
|
30.5th | 5.3 | This CVE describes an incorrect authorization vulnerability in Drupal's Pages Restriction Access mod | |
| 2658 | CVE-2024-13266 |
|
30.5th | 5.3 | This CVE describes an incorrect authorization vulnerability in Drupal's Responsive and off-canvas me | |
| 2659 | CVE-2025-1249 |
|
30.5th | 5.3 | This CVE describes a missing authorization vulnerability in the Pixelite Events Manager WordPress pl | |
| 2660 | CVE-2024-57782 |
|
30.5th | 6.8 | A denial-of-service vulnerability in Docker-proxy v18.09.0 allows attackers to crash or degrade the | |
| 2661 | CVE-2024-13775 |
|
30.6th | 5.4 | The WooCommerce Support Ticket System plugin for WordPress has missing capability checks on three AJ | |
| 2662 | CVE-2024-12825 |
|
30.6th | 5.4 | The Custom Related Posts WordPress plugin has a missing capability check vulnerability that allows a | |
| 2663 | CVE-2025-0863 |
|
30.5th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i | |
| 2664 | CVE-2024-12809 |
|
30.5th | 6.4 | The Wishlist plugin for WordPress versions up to 1.0.43 contains a stored cross-site scripting (XSS) | |
| 2665 | CVE-2025-27370 |
|
30.6th | 6.9 | This OpenID Connect vulnerability allows malicious Authorization Servers to inject attacker-controll | |
| 2666 | CVE-2025-32949 |
|
30.6th | 6.5 | This vulnerability allows any authenticated user to upload a Zip Bomb archive that causes disk space | |
| 2667 | CVE-2024-13909 |
|
30.6th | 4.9 | This vulnerability allows authenticated WordPress administrators to perform time-based SQL injection | |
| 2668 | CVE-2025-12922 |
|
30.6th | 6.3 | This vulnerability allows remote attackers to perform path traversal attacks via the xml_file parame | |
| 2669 | CVE-2025-68618 |
|
30.5th | 5.3 | ImageMagick versions before 7.1.2-12 contain a denial-of-service vulnerability when processing malic | |
| 2670 | CVE-2025-12398 |
|
30.6th | 6.1 | The Product Table for WooCommerce WordPress plugin contains a reflected cross-site scripting (XSS) v | |
| 2671 | CVE-2025-11496 |
|
30.6th | 6.1 | This stored XSS vulnerability in the Five Star Restaurant Reservations WordPress plugin allows unaut | |
| 2672 | CVE-2025-14154 |
|
30.6th | 6.1 | This stored XSS vulnerability in the Better Messages WordPress plugin allows unauthenticated attacke | |
| 2673 | CVE-2025-12076 |
|
30.6th | 6.1 | The Social Media Auto Publish WordPress plugin contains a reflected cross-site scripting vulnerabili | |
| 2674 | CVE-2025-12834 |
|
30.6th | 6.1 | This vulnerability allows unauthenticated attackers to inject malicious scripts via the 'failure_mes | |
| 2675 | CVE-2025-14875 |
|
30.6th | 6.1 | The HBLPAY Payment Gateway for WooCommerce WordPress plugin contains a reflected cross-site scriptin | |
| 2676 | CVE-2024-51670 |
|
30.5th | 5.9 | This stored cross-site scripting (XSS) vulnerability in the JS Help Desk WordPress plugin allows att | |
| 2677 | CVE-2024-54523 |
|
30.4th | 6.3 | This vulnerability allows an app to corrupt coprocessor memory due to insufficient bounds checks. It | |
| 2678 | CVE-2025-24600 |
|
30.4th | 5.3 | CVE-2025-24600 is a missing authorization vulnerability in the RSVPMaker WordPress plugin that allow | |
| 2679 | CVE-2025-0540 |
|
30.3th | 6.3 | This vulnerability allows remote attackers to execute SQL injection attacks via the 'expcat' paramet | |
| 2680 | CVE-2025-0536 |
|
30.3th | 6.3 | A critical SQL injection vulnerability in 1000 Projects Attendance Tracking Management System 1.0 al | |
| 2681 | CVE-2024-54540 |
|
30.4th | 4.3 | This CVE describes an input sanitization vulnerability in Apple Music for Windows that could allow i | |
| 2682 | CVE-2025-22560 |
|
30.4th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Saoshyant Page Builder WordPress plu | |
| 2683 | CVE-2025-0296 |
|
30.3th | 6.3 | CVE-2025-0296 is a critical SQL injection vulnerability in code-projects Online Book Shop 1.0 that a | |
| 2684 | CVE-2025-26965 |
|
30.4th | 5.3 | This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Amelia WordPress | |
| 2685 | CVE-2024-13500 |
|
30.4th | 6.5 | This vulnerability allows authenticated attackers with Subscriber-level access or higher to perform | |
| 2686 | CVE-2024-12379 |
|
30.4th | 6.5 | This vulnerability allows attackers to cause denial of service in GitLab by creating unbounded symbo | |
| 2687 | CVE-2025-1172 |
|
30.3th | 6.3 | This critical SQL injection vulnerability in 1000 Projects Bookstore Management System 1.0 allows at | |
| 2688 | CVE-2022-26388 |
|
30.3th | 6.4 | This CVE describes a hard-coded password vulnerability in multiple Hillrom ELI electrocardiograph de | |
| 2689 | CVE-2025-0943 |
|
30.3th | 6.3 | CVE-2025-0943 is a critical SQL injection vulnerability in Tailoring Management System 1.0 that allo | |
| 2690 | CVE-2025-2628 |
|
30.3th | 6.3 | This critical vulnerability in PHPGurukul Art Gallery Management System 1.1 allows remote attackers | |
| 2691 | CVE-2025-1311 |
|
30.4th | 6.5 | This SQL injection vulnerability in the WooCommerce Multivendor Marketplace REST API plugin allows a | |
| 2692 | CVE-2025-2602 |
|
30.3th | 6.3 | This critical SQL injection vulnerability in SourceCodester Kortex Lite Advocate Office Management S | |
| 2693 | CVE-2025-30334 |
|
30.3th | 6.5 | A vulnerability in OpenBSD's wg(4) WireGuard implementation allows specially crafted network traffic | |
| 2694 | CVE-2025-2471 |
|
30.3th | 6.3 | This is a critical SQL injection vulnerability in PHPGurukul Boat Booking System 1.0 that allows rem | |
| 2695 | CVE-2025-2373 |
|
30.3th | 6.3 | This critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management Sys | |
| 2696 | CVE-2025-2051 |
|
30.3th | 6.3 | This critical SQL injection vulnerability in PHPGurukul Apartment Visitors Management System 1.0 all | |
| 2697 | CVE-2025-2037 |
|
30.3th | 6.3 | This critical SQL injection vulnerability in Blood Bank Management System 1.0 allows remote attacker | |
| 2698 | CVE-2025-2033 |
|
30.3th | 6.3 | A critical SQL injection vulnerability exists in code-projects Blood Bank Management System 1.0, spe | |
| 2699 | CVE-2025-1855 |
|
30.3th | 6.3 | This critical SQL injection vulnerability in PHPGurukul Online Shopping Portal 2.1 allows remote att | |
| 2700 | CVE-2025-3984 |
|
30.4th | 5.0 | This critical vulnerability in Apereo CAS 5.2.6 allows remote attackers to execute arbitrary code th |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free