Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 2801 | CVE-2025-60216 |
|
18.9th | 9.8 | This CVE describes a PHP object injection vulnerability in the BoldThemes Addison WordPress theme. A | |
| 2802 | CVE-2025-60214 |
|
18.9th | 9.8 | This vulnerability allows attackers to execute arbitrary code by exploiting insecure deserialization | |
| 2803 | CVE-2025-60213 |
|
18.9th | 9.8 | This vulnerability allows attackers to inject malicious objects through deserialization of untrusted | |
| 2804 | CVE-2025-60209 |
|
18.9th | 9.8 | This vulnerability allows attackers to inject malicious objects through deserialization of untrusted | |
| 2805 | CVE-2025-60039 |
|
18.9th | 9.8 | This vulnerability allows remote attackers to execute arbitrary code through PHP object injection vi | |
| 2806 | CVE-2025-49655 |
|
18.9th | 9.8 | This vulnerability allows arbitrary code execution when deserializing malicious Keras files containi | |
| 2807 | CVE-2025-10586 |
|
18.8th | 9.8 | This SQL injection vulnerability in the WordPress Community Events plugin allows authenticated attac | |
| 2808 | CVE-2025-10587 |
|
18.8th | 9.8 | This SQL injection vulnerability in the WordPress Community Events plugin allows authenticated attac | |
| 2809 | CVE-2025-60245 |
|
18.9th | 9.8 | This vulnerability allows attackers to inject malicious objects through deserialization of untrusted | |
| 2810 | CVE-2025-58998 |
|
18.9th | 9.8 | This CVE describes a PHP object injection vulnerability in the s2Member WordPress plugin that allows | |
| 2811 | CVE-2025-58636 |
|
18.9th | 9.8 | This vulnerability allows attackers to execute arbitrary code on WordPress sites using the WP Gravit | |
| 2812 | CVE-2025-53586 |
|
18.9th | 9.8 | This vulnerability allows remote attackers to execute arbitrary code through PHP object injection vi | |
| 2813 | CVE-2025-53242 |
|
18.9th | 9.8 | This vulnerability allows remote attackers to execute arbitrary code through deserialization of untr | |
| 2814 | CVE-2025-49393 |
|
18.9th | 9.8 | This vulnerability allows attackers to inject malicious objects through deserialization of untrusted | |
| 2815 | CVE-2025-49386 |
|
18.9th | 9.8 | CVE-2025-49386 is a PHP object injection vulnerability in the WordPress Preserve Code Formatting plu | |
| 2816 | CVE-2025-48086 |
|
18.9th | 9.8 | This vulnerability allows attackers to inject malicious objects through deserialization of untrusted | |
| 2817 | CVE-2025-68897 |
|
19th | 9.9 | This vulnerability allows remote code execution through improper input validation in the IF AS Short | |
| 2818 | CVE-2025-57460 |
|
19.1th | 9.8 | A file upload vulnerability in MachSol MachPanel 8.0.32 allows attackers to upload malicious files a | |
| 2819 | CVE-2025-64231 |
|
19.1th | 9.8 | This vulnerability allows attackers to upload malicious files to WordPress sites using the Contact F | |
| 2820 | CVE-2025-65834 |
|
19.1th | 9.8 | CVE-2025-65834 is a critical buffer overflow vulnerability in Shotcut video editor that allows remot | |
| 2821 | CVE-2025-65820 |
|
19.1th | 9.8 | The Meatmeet Android mobile app version 1.1.2.0 contains an exported activity that can be triggered | |
| 2822 | CVE-2025-41744 |
|
19th | 9.1 | Sprecher Automations SPRECON-E series uses default cryptographic keys that allow unprivileged remote | |
| 2823 | CVE-2026-25753 |
|
18.9th | 9.8 | PlaciPy placement management system version 1.0.0 uses a hard-coded default password for all newly c | |
| 2824 | CVE-2026-0892 |
|
19th | 9.8 | This CVE describes memory safety bugs in Firefox and Thunderbird that could lead to memory corruptio | |
| 2825 | CVE-2025-62877 |
|
19.1th | 9.8 | CVE-2025-62877 exposes the default SSH login password in SUSE Harvester virtualization environments | |
| 2826 | CVE-2025-67924 |
|
19.1th | 9.8 | This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress se | |
| 2827 | CVE-2025-67910 |
|
19.1th | 9.8 | This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress se | |
| 2828 | CVE-2025-53260 |
|
18.7th | 9.1 | This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress si | |
| 2829 | CVE-2025-6512 |
|
18.6th | 10.0 | This vulnerability allows non-admin users to embed scripts in reports that execute with administrato | |
| 2830 | CVE-2025-25022 |
|
18.6th | 9.6 | This vulnerability allows unauthenticated users to access sensitive configuration files in IBM QRada | |
| 2831 | CVE-2025-49302 |
|
18.6th | 10.0 | CVE-2025-49302 is a critical code injection vulnerability in the Easy Stripe WordPress plugin that a | |
| 2832 | CVE-2025-28951 |
|
18.7th | 9.1 | This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress se | |
| 2833 | CVE-2025-51535 |
|
18.5th | 9.1 | OpenAtlas v8.11.0 contains an unrestricted SQL console in the admin UI that allows authenticated adm | |
| 2834 | CVE-2025-8570 |
|
18.7th | 9.8 | The BeyondCart Connector WordPress plugin has a critical privilege escalation vulnerability in versi | |
| 2835 | CVE-2025-52161 |
|
18.7th | 9.8 | This cross-site scripting (XSS) vulnerability in Scholl Communications AG Weblication CMS Core allow | |
| 2836 | CVE-2025-61140 |
|
18.8th | 9.8 | CVE-2025-61140 is a prototype pollution vulnerability in jsonpath 1.1.1 that allows attackers to mod | |
| 2837 | CVE-2025-32222 |
|
18.8th | 9.8 | This CVE describes a critical code injection vulnerability in the Widget Logic WordPress plugin that | |
| 2838 | CVE-2025-13607 |
|
18.6th | 9.4 | This vulnerability allows unauthenticated attackers to access camera configuration information, incl | |
| 2839 | CVE-2026-24054 |
|
18.5th | 10.0 | A vulnerability in Kata Containers allows malformed container images with no layers to cause the hos | |
| 2840 | CVE-2025-48865 |
|
18.2th | 9.1 | CVE-2025-48865 is a vulnerability in Fabio HTTP/TCP router where clients can remove or manipulate X- | |
| 2841 | CVE-2025-39395 |
|
18.3th | 9.3 | This SQL injection vulnerability in the WPAMS WordPress plugin allows attackers to execute arbitrary | |
| 2842 | CVE-2025-39389 |
|
18.3th | 9.3 | This SQL injection vulnerability in the AnalyticsWP WordPress plugin allows attackers to execute arb | |
| 2843 | CVE-2025-39445 |
|
18.3th | 9.3 | This SQL injection vulnerability in the Super Store Finder WordPress plugin allows attackers to exec | |
| 2844 | CVE-2025-32643 |
|
18.3th | 9.3 | This SQL injection vulnerability in the WPGYM WordPress plugin allows attackers to execute arbitrary | |
| 2845 | CVE-2025-47657 |
|
18.3th | 9.3 | This SQL injection vulnerability in Productive Minds Productive Commerce allows attackers to execute | |
| 2846 | CVE-2025-4383 |
|
18.4th | 9.3 | This vulnerability allows attackers to bypass authentication or perform credential brute-forcing on | |
| 2847 | CVE-2025-42989 |
|
18.2th | 9.6 | CVE-2025-42989 is a privilege escalation vulnerability in SAP systems where authenticated users can | |
| 2848 | CVE-2025-46811 |
|
18.4th | 9.8 | CVE-2025-46811 is a critical Missing Authorization vulnerability in SUSE Linux Manager that allows a | |
| 2849 | CVE-2025-51543 |
|
18.4th | 9.8 | CVE-2025-51543 is an authentication bypass vulnerability in Cicool builder that allows unauthenticat | |
| 2850 | CVE-2025-55293 |
|
18.4th | 9.4 | This vulnerability allows an attacker to impersonate legitimate nodes in a Meshtastic mesh network b |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free