Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
3251	CVE-2025-63525	0.04%	11.5th	9.6	Blood Bank Management System 1.0 contains an improper access control vulnerability in delete.php tha
3252	CVE-2026-24379	0.04%	11.6th	9.1	This CVE describes an authorization bypass vulnerability in the WP Job Portal WordPress plugin where
3253	CVE-2026-22482	0.04%	11.6th	9.1	This SSRF vulnerability in wbolt.com IMGspider WordPress plugin allows attackers to make the server
3254	CVE-2025-68857	0.04%	11.6th	9.3	This SQL injection vulnerability in the Paid Downloads WordPress plugin allows attackers to execute
3255	CVE-2025-62754	0.04%	11.6th	9.1	This CVE describes a Missing Authorization vulnerability in the Payment Gateway bKash for WC WordPre
3256	CVE-2025-62741	0.04%	11.6th	9.1	This SSRF vulnerability in the Pool Services WordPress theme allows attackers to make unauthorized r
3257	CVE-2025-14894	0.04%	11.6th	9.8	CVE-2025-14894 is an unauthenticated remote code execution vulnerability in Livewire Filemanager for
3258	CVE-2026-21875	0.04%	11.6th	9.8	ClipBucket v5 versions 5.5.2-#187 and below contain a blind SQL injection vulnerability in the comme
3259	CVE-2025-40731	0.04%	11.1th	9.8	A critical SQL injection vulnerability in Daily Expense Manager v1.0 allows attackers to manipulate
3260	CVE-2024-12364	0.04%	11.3th	9.8	This SQL injection vulnerability in Mavi Yeşil Software Guest Tracking Software allows attackers to
3261	CVE-2024-12143	0.04%	11.3th	9.8	This SQL injection vulnerability in Mobilteg Mobile Informatics Mikro Hand Terminal - MikroDB allows
3262	CVE-2024-11739	0.04%	11.3th	9.8	This SQL injection vulnerability in Case Informatics Case ERP allows attackers to execute arbitrary
3263	CVE-2025-52717	0.04%	11.3th	9.3	This SQL injection vulnerability in the LifterLMS WordPress plugin allows attackers to execute arbit
3264	CVE-2015-0842	0.04%	11.1th	9.8	CVE-2015-0842 is a SQL injection vulnerability in yubiserver versions before 0.6 that allows attacke
3265	CVE-2025-4738	0.04%	11.3th	9.8	This SQL injection vulnerability in Yirmibes Software MY ERP allows attackers to execute arbitrary S
3266	CVE-2025-40717	0.04%	11.3th	9.8	A critical SQL injection vulnerability in Quiter Gateway versions before 4.7.0 allows attackers to m
3267	CVE-2025-40715	0.04%	11.3th	9.8	A SQL injection vulnerability in Quiter Gateway allows attackers to manipulate database operations t
3268	CVE-2025-40713	0.04%	11.3th	9.8	A critical SQL injection vulnerability in Quiter Gateway versions before 4.7.0 allows attackers to m
3269	CVE-2024-39335	0.04%	11.2th	9.1	This vulnerability allows institution administrators in Mahara to view sensitive information on the
3270	CVE-2025-55299	0.04%	11.2th	9.4	VaulTLS versions before 0.9.1 have a critical authentication bypass vulnerability. Attackers can log
3271	CVE-2025-39474	0.04%	11.3th	9.3	This SQL injection vulnerability in the ThemeMove Amely WordPress theme allows attackers to execute
3272	CVE-2026-25939	0.04%	11.3th	9.1	An authorization bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated re
3273	CVE-2026-25811	0.04%	11.3th	9.1	PlaciPy placement management system version 1.0.0 allows cross-tenant data access by deriving tenant
3274	CVE-2025-69563	0.04%	11.2th	9.8	CVE-2025-69563 is a critical SQL injection vulnerability in code-projects Mobile Shop Management Sys
3275	CVE-2025-69562	0.04%	11.2th	9.8	CVE-2025-69562 is a critical SQL injection vulnerability in code-projects Mobile Shop Management Sys
3276	CVE-2025-70982	0.04%	11.3th	9.9	CVE-2025-70982 is an improper access control vulnerability in SpringBlade v4.5.0 that allows attacke
3277	CVE-2026-20912	0.04%	11.2th	9.1	Gitea versions before 1.25.4 have an improper access control vulnerability where attachments uploade
3278	CVE-2026-20897	0.04%	11.2th	9.1	CVE-2026-20897 is an improper access control vulnerability in Gitea where users with write access to
3279	CVE-2026-20750	0.04%	11.2th	9.1	Gitea contains an authorization bypass vulnerability where users with project write access in one or
3280	CVE-2026-0610	0.04%	11.2th	9.8	A SQL injection vulnerability in Devolutions Server's remote-sessions component allows attackers to
3281	CVE-2025-64155	0.04%	11.1th	9.8	This CVE describes an OS command injection vulnerability in Fortinet FortiSIEM that allows attackers
3282	CVE-2026-25150	0.04%	11.2th	9.3	This prototype pollution vulnerability in Qwik's formToObj() function allows unauthenticated attacke
3283	CVE-2026-25240	0.04%	11.2th	9.8	This SQL injection vulnerability in PEAR's user::maintains() function allows attackers to execute ar
3284	CVE-2026-25238	0.04%	11.2th	9.8	A SQL injection vulnerability in PEAR's bug subscription deletion feature allows attackers to execut
3285	CVE-2026-25236	0.04%	11.2th	9.8	This CVE describes a SQL injection vulnerability in PEAR, a PHP component framework, where unsafe li
3286	CVE-2025-1126	0.04%	10.6th	9.3	This vulnerability in Lexmark Print Management Client allows attackers to bypass security decisions
3287	CVE-2025-46816	0.04%	10.7th	9.4	CVE-2025-46816 is a critical command injection vulnerability in goshs (SimpleHTTPServer written in G
3288	CVE-2025-52829	0.04%	10.9th	9.3	This SQL injection vulnerability in DirectIQ Email Marketing WordPress plugin allows attackers to ex
3289	CVE-2025-23967	0.04%	10.9th	9.3	This SQL injection vulnerability in the GG Bought Together for WooCommerce WordPress plugin allows a
3290	CVE-2025-49452	0.04%	10.9th	9.3	This SQL injection vulnerability in the PostaPanduri WordPress plugin allows attackers to execute ar
3291	CVE-2025-47573	0.04%	10.9th	9.3	This SQL injection vulnerability in the mojoomla School Management WordPress plugin allows attackers
3292	CVE-2025-39479	0.04%	10.9th	9.3	This SQL injection vulnerability in the Smart Notification WordPress plugin allows attackers to exec
3293	CVE-2025-24773	0.04%	10.9th	9.3	This SQL injection vulnerability in the WPCRM WordPress plugin allows attackers to execute arbitrary
3294	CVE-2025-53937	0.04%	11th	9.8	A SQL injection vulnerability in WeGIA's /controle/control.php endpoint allows attackers to execute
3295	CVE-2025-52832	0.04%	10.9th	9.3	This SQL injection vulnerability in the wpo-HR NGG Smart Image Search WordPress plugin allows attack
3296	CVE-2025-52830	0.04%	10.9th	9.3	This SQL injection vulnerability in the bSecure WordPress plugin allows attackers to execute arbitra
3297	CVE-2025-54133	0.04%	10.9th	9.6	Cursor code editor versions 1.17 through 1.2 contain a UI information disclosure vulnerability in th
3298	CVE-2025-12553	0.04%	10.9th	9.8	This vulnerability in BLU-IC2 and BLU-IC4 email servers disables certificate verification, allowing
3299	CVE-2025-68664	0.04%	10.7th	9.3	A serialization injection vulnerability in LangChain's dumps() and dumpd() functions allows attacker
3300	CVE-2026-1009	0.04%	10.6th	9.0	A stored cross-site scripting vulnerability in Altium Forum allows authenticated attackers to inject

← Previous Page 66 of 70 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free