Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
2851	CVE-2025-50594	0.06%	18.4th	9.8	This vulnerability allows attackers to reset any user account password in Danphe Health Hospital Man
2852	CVE-2025-52390	0.06%	18.4th	9.1	This SQL injection vulnerability in Saurus CMS Community Edition allows attackers to manipulate data
2853	CVE-2024-13150	0.06%	18.4th	9.8	This SQL injection vulnerability in Fayton Software's fayton.Pro ERP allows attackers to execute arb
2854	CVE-2025-59431	0.06%	18.5th	9.8	MapServer versions before 8.4.1 contain a SQL injection vulnerability in the XML Filter Query direct
2855	CVE-2025-6519	0.06%	18.4th	9.8	CVE-2025-6519 allows attackers to predictably generate the password for the default 'ONEDAY' admin a
2856	CVE-2025-12380	0.06%	18.2th	9.8	A use-after-free vulnerability in Firefox's WebGPU implementation allows a compromised child process
2857	CVE-2025-56447	0.06%	18.4th	9.8	TM2 Monitoring v3.04 contains an authentication bypass vulnerability that allows attackers to access
2858	CVE-2025-55086	0.06%	18.3th	9.8	This vulnerability in NetXDuo's DHCPv6 client allows attackers to cause out-of-bounds memory reads b
2859	CVE-2025-10610	0.06%	18.4th	9.8	This SQL injection vulnerability in Winsure software allows attackers to execute arbitrary SQL comma
2860	CVE-2025-6919	0.06%	18.4th	9.8	This SQL injection vulnerability in the Aykome License Tracking System allows attackers to execute a
2861	CVE-2025-52021	0.06%	18.4th	9.8	This SQL injection vulnerability in PuneethReddyHC Online Shopping System Advanced 1.0 allows attack
2862	CVE-2025-0603	0.06%	18.4th	9.8	This SQL injection vulnerability in Callvision Healthcare's Callvision Emergency Code software allow
2863	CVE-2025-59743	0.06%	18.4th	9.8	A critical SQL injection vulnerability in AndSoft's e-TMS v25.03 allows attackers to manipulate data
2864	CVE-2025-59742	0.06%	18.4th	9.8	This SQL injection vulnerability in AndSoft's e-TMS v25.03 allows attackers to execute arbitrary SQL
2865	CVE-2025-58996	0.06%	18.2th	9.1	This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress se
2866	CVE-2025-12642	0.06%	18.5th	9.1	CVE-2025-12642 is an HTTP header smuggling vulnerability in lighttpd 1.4.80 where trailer fields are
2867	CVE-2025-68565	0.06%	18.4th	9.8	This CVE describes a Missing Authorization vulnerability in the JayBee Twitch Player WordPress plugi
2868	CVE-2025-64188	0.06%	18.4th	9.8	CVE-2025-64188 is an incorrect privilege assignment vulnerability in the Soledad WordPress theme tha
2869	CVE-2025-36753	0.06%	18.4th	9.8	The SWD debug interface on Growatt ShineLan-X communication dongles is enabled by default, allowing
2870	CVE-2021-47901	0.06%	18.4th	9.8	Dirsearch 0.4.1 contains a CSV injection vulnerability that allows attackers to inject Excel formula
2871	CVE-2025-56590	0.06%	18.4th	9.8	This vulnerability in Apryse HTML2PDF SDK allows attackers to execute arbitrary operating system com
2872	CVE-2026-22708	0.06%	18.2th	9.8	This vulnerability in Cursor AI code editor allows attackers to execute shell built-ins without allo
2873	CVE-2025-10915	0.06%	18.4th	9.8	The Dreamer Blog WordPress theme through version 1.2 allows attackers to install arbitrary plugins o
2874	CVE-2025-66050	0.06%	18.4th	9.8	Vivotek IP7137 cameras have a critical authentication bypass vulnerability where administrator accou
2875	CVE-2025-67913	0.06%	18.4th	9.8	This CVE describes a missing authorization vulnerability in the Aruba HiSpeed Cache WordPress plugin
2876	CVE-2025-14360	0.06%	18.4th	9.8	CVE-2025-14360 is a missing authorization vulnerability in the Kaira Blockons WordPress plugin that
2877	CVE-2025-14358	0.06%	18.4th	9.8	This CVE describes a missing authorization vulnerability in the REHub Framework WordPress plugin tha
2878	CVE-2025-39477	0.06%	18.4th	9.8	This CVE describes a Missing Authorization vulnerability in the InWave Jobs WordPress plugin that al
2879	CVE-2025-64123	0.06%	18.2th	9.8	This vulnerability in Nuvation Energy Multi-Stack Controller allows the device to act as an unintend
2880	CVE-2025-69929	0.06%	18.2th	9.8	This vulnerability in N3uron Web User Interface v1.21.7-240207.1047 allows remote attackers to escal
2881	CVE-2024-7102	0.06%	18th	9.6	This vulnerability in GitLab allows attackers to trigger CI/CD pipelines as another user under speci
2882	CVE-2025-25106	0.06%	17.8th	9.6	A Cross-Site Request Forgery (CSRF) vulnerability in the FancyWP Starter Templates WordPress plugin
2883	CVE-2025-43863	0.06%	18th	9.8	This vulnerability in vantage6 allows attackers with authenticated access to brute-force user passwo
2884	CVE-2025-54451	0.06%	17.8th	9.8	This CVE describes a code injection vulnerability in Samsung MagicINFO 9 Server that allows attacker
2885	CVE-2024-9408	0.06%	17.8th	9.8	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Eclipse GlassFish applicati
2886	CVE-2025-54119	0.06%	18th	10.0	This SQL injection vulnerability in ADOdb allows attackers to execute arbitrary SQL commands when ap
2887	CVE-2025-62919	0.06%	18th	9.1	This CVE describes a Missing Authorization vulnerability in the themeshopy TS Demo Importer WordPres
2888	CVE-2025-68038	0.06%	18.1th	9.8	This vulnerability allows attackers to execute arbitrary code through PHP object injection by exploi
2889	CVE-2025-64233	0.06%	18.1th	9.8	This CVE describes a PHP object injection vulnerability in the BoldThemes Codiqa WordPress theme. At
2890	CVE-2025-64227	0.06%	18.1th	9.8	This CVE describes a PHP object injection vulnerability in the Client Invoicing by Sprout Invoices W
2891	CVE-2025-64206	0.06%	18.1th	9.8	This vulnerability allows remote attackers to execute arbitrary code through PHP object injection by
2892	CVE-2025-60180	0.06%	18.1th	9.8	This vulnerability allows attackers to execute arbitrary PHP code through insecure deserialization i
2893	CVE-2025-60178	0.06%	18.1th	9.8	This vulnerability allows remote attackers to execute arbitrary code on WordPress sites using the WP
2894	CVE-2025-60174	0.06%	18.1th	9.8	This vulnerability allows attackers to execute arbitrary code on WordPress sites using the Gravity F
2895	CVE-2025-60091	0.06%	18.1th	9.8	This vulnerability allows remote attackers to execute arbitrary code through deserialization of untr
2896	CVE-2025-60090	0.06%	18.1th	9.8	This vulnerability allows remote attackers to execute arbitrary code on WordPress sites using the WP
2897	CVE-2025-60089	0.06%	18.1th	9.8	This vulnerability allows remote attackers to execute arbitrary code through deserialization of untr
2898	CVE-2025-54723	0.06%	18.1th	9.8	This vulnerability allows attackers to inject malicious objects via untrusted data deserialization i
2899	CVE-2025-68110	0.06%	17.9th	9.9	ChurchCRM versions before 6.5.3 expose sensitive database credentials in error messages, allowing at
2900	CVE-2025-40552	0.06%	17.9th	9.8	SolarWinds Web Help Desk contains an authentication bypass vulnerability that allows attackers to ex

← Previous Page 58 of 70 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free