Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
3101	CVE-2025-25176	0.05%	14.2th	9.1	This vulnerability allows non-secure applications to exfiltrate intermediate register values from se
3102	CVE-2025-65125	0.05%	14.4th	9.8	This SQL injection vulnerability in the online-movie-booking system allows attackers to execute arbi
3103	CVE-2026-25233	0.05%	14.3th	9.1	This vulnerability in PEAR (PHP Extension and Application Repository) allows non-lead maintainers to
3104	CVE-2025-32880	0.05%	13.9th	9.8	COROS PACE 3 smartwatches download firmware updates over unencrypted HTTP connections, allowing atta
3105	CVE-2025-69634	0.05%	13.9th	9.0	A Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr ERP & CRM v22.0.9 allows remote attack
3106	CVE-2025-24936	0.05%	13.9th	9.0	This vulnerability allows remote command injection in a web application, enabling attackers to execu
3107	CVE-2025-54693	0.05%	14th	9.0	This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress se
3108	CVE-2025-6520	0.05%	13.9th	9.8	This SQL injection vulnerability in Abis Technology BAPSIS allows attackers to execute arbitrary SQL
3109	CVE-2025-63622	0.05%	13.9th	9.8	CVE-2025-63622 is a critical SQL injection vulnerability in code-projects Online Complaint Site 1.0
3110	CVE-2025-11253	0.05%	13.9th	9.8	This SQL injection vulnerability in Aksis Technology Netty ERP allows attackers to execute arbitrary
3111	CVE-2025-41018	0.05%	13.9th	9.8	This SQL injection vulnerability in Sergestec's Exito v8.0 allows attackers to manipulate database q
3112	CVE-2025-10437	0.05%	13.9th	9.8	This SQL injection vulnerability in Eksagate's Webpack Management System allows attackers to execute
3113	CVE-2025-63694	0.05%	13.9th	9.8	DzzOffice v2.3.7 and earlier contains a SQL injection vulnerability in the explorer/groupmanage comp
3114	CVE-2026-25881	0.05%	14th	9.0	This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.31. It al
3115	CVE-2026-25875	0.05%	14th	9.8	This vulnerability allows attackers to bypass authorization in PlaciPy placement management systems
3116	CVE-2025-64280	0.05%	13.9th	9.8	A SQL injection vulnerability in CentralSquare Community Development 19.5.7 allows attackers to exec
3117	CVE-2025-64338	0.05%	13.9th	9.0	ClipBucket v5 versions 5.5.2-#156 and below contain a stored cross-site scripting (XSS) vulnerabilit
3118	CVE-2025-52773	0.05%	13.9th	9.8	This SQL injection vulnerability in the HieCOR Payment Gateway Plugin for WordPress allows attackers
3119	CVE-2025-48089	0.05%	13.9th	9.8	This SQL injection vulnerability in the HiStudy WordPress theme allows attackers to execute arbitrar
3120	CVE-2025-12463	0.05%	13.9th	9.8	An unauthenticated SQL injection vulnerability in Geutebruck G-Cam E-Series cameras allows attackers
3121	CVE-2025-21589	0.05%	13.9th	9.8	This authentication bypass vulnerability in Juniper Session Smart products allows network-based atta
3122	CVE-2025-68034	0.05%	14.1th	9.3	This SQL injection vulnerability in the CleverReach® WP WordPress plugin allows attackers to execut
3123	CVE-2025-67945	0.05%	14.1th	9.3	This SQL injection vulnerability in the MailerLite WooCommerce integration plugin allows attackers t
3124	CVE-2026-21876	0.05%	13.9th	9.3	This vulnerability in OWASP Core Rule Set (CRS) allows attackers to bypass multipart request filteri
3125	CVE-2025-53546	0.05%	13.5th	9.1	This CVE describes a GitHub Actions vulnerability in Folo where the pull_request_target workflow all
3126	CVE-2025-43773	0.05%	13.5th	9.1	This vulnerability in Liferay Portal and DXP allows improper access through the expandoTableLocalSer
3127	CVE-2025-55167	0.05%	13.6th	9.8	CVE-2025-55167 is a critical SQL injection vulnerability in WeGIA web management software that allow
3128	CVE-2025-60291	0.05%	13.5th	9.1	This vulnerability allows unauthorized attackers to access restricted administrative routes in eTime
3129	CVE-2025-62892	0.05%	13.5th	9.1	This CVE describes a Missing Authorization vulnerability in the Sunshine Photo Cart WordPress plugin
3130	CVE-2025-41348	0.05%	13.7th	9.8	A critical SQL injection vulnerability in WinPlus v24.11.27 allows attackers to execute arbitrary SQ
3131	CVE-2025-66074	0.05%	13.8th	9.0	This vulnerability allows attackers to upload arbitrary files to WordPress sites using the WP Webhoo
3132	CVE-2023-53877	0.05%	13.5th	9.8	Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that al
3133	CVE-2025-66430	0.05%	13.7th	9.1	CVE-2025-66430 is an incorrect access control vulnerability in Plesk's Password Protected Directorie
3134	CVE-2025-41013	0.05%	13.7th	9.8	This SQL injection vulnerability in TCMAN GIM v11 allows attackers to manipulate database queries th
3135	CVE-2025-30615	0.04%	13.3th	9.6	A Cross-Site Request Forgery (CSRF) vulnerability in the WP e-Commerce Style Email WordPress plugin
3136	CVE-2025-27558	0.04%	13.2th	9.1	This vulnerability allows attackers to inject arbitrary frames into mesh Wi-Fi networks using WPA, W
3137	CVE-2025-6427	0.04%	13.3th	9.1	This vulnerability allows attackers to bypass Content Security Policy connect-src directives by mani
3138	CVE-2025-58068	0.04%	13.2th	9.1	Eventlet versions before 0.40.3 are vulnerable to HTTP request smuggling due to improper handling of
3139	CVE-2025-45583	0.04%	13.2th	9.1	This vulnerability allows attackers to bypass authentication in the FTP service of Audi UTR 2.0 Univ
3140	CVE-2025-70085	0.04%	13.2th	9.8	This CVE describes a stack buffer overflow vulnerability in OpenSatKit 2.2.1's file management compo
3141	CVE-2025-54343	0.04%	13.4th	9.6	An incorrect access control vulnerability in Desktop Alert PingAlert's Application Server allows rem
3142	CVE-2025-66603	0.04%	13.2th	9.8	The OPTIONS method vulnerability in Yokogawa FAST/TOOLS web servers exposes HTTP method information
3143	CVE-2025-68990	0.04%	13.2th	9.8	This SQL injection vulnerability in the BWL Pro Voting Manager WordPress plugin allows attackers to
3144	CVE-2024-44065	0.04%	13.2th	9.8	CVE-2024-44065 is a critical SQL injection vulnerability in Cloudlog v2.6.15 that allows attackers t
3145	CVE-2025-68590	0.04%	13.2th	9.8	This SQL injection vulnerability in the CRM Perks Integration for Contact Form 7 HubSpot WordPress p
3146	CVE-2025-68570	0.04%	13.2th	9.8	This SQL injection vulnerability in the Captivate Sync WordPress plugin allows attackers to execute
3147	CVE-2025-68519	0.04%	13.2th	9.8	This SQL injection vulnerability in the BeRocket Brands for WooCommerce plugin allows attackers to e
3148	CVE-2025-68496	0.04%	13.2th	9.8	This CVE describes a blind SQL injection vulnerability in the User Feedback Lite WordPress plugin. A
3149	CVE-2025-65830	0.04%	13.4th	9.1	This vulnerability allows attackers to intercept and manipulate TLS traffic between a mobile applica
3150	CVE-2025-63742	0.04%	13.3th	9.8	This SQL injection vulnerability in Xinhu Rainrock RockOA allows attackers to execute arbitrary SQL

← Previous Page 63 of 70 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free