Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
3301	CVE-2021-47781	0.04%	10.6th	9.8	CVE-2021-47781 is a critical buffer overflow vulnerability in Cmder Console Emulator version 1.3.18
3302	CVE-2026-25137	0.04%	10.9th	9.1	The NixOS Odoo package exposes the database manager without authentication, allowing unauthorized ac
3303	CVE-2025-1889	0.04%	10.4th	9.8	CVE-2025-1889 is a vulnerability in picklescan versions before 0.0.22 where the tool only checks sta
3304	CVE-2025-3200	0.04%	10.5th	9.1	This vulnerability allows unauthenticated remote attackers to intercept and manipulate encrypted com
3305	CVE-2025-6918	0.04%	10.2th	9.8	This SQL injection vulnerability in Ncvav Virtual PBX Software allows attackers to execute arbitrary
3306	CVE-2025-4784	0.04%	10.2th	9.8	This SQL injection vulnerability in Moderec Tourtella allows attackers to execute arbitrary SQL comm
3307	CVE-2025-4285	0.04%	10.2th	10.0	This SQL injection vulnerability in Rolantis Agentis allows attackers to execute arbitrary SQL comma
3308	CVE-2025-56212	0.04%	10.2th	9.8	CVE-2025-56212 is a critical SQL injection vulnerability in phpgurukul Hospital Management System 4.
3309	CVE-2025-51092	0.04%	10.2th	9.8	This SQL injection vulnerability in the LogIn-SignUp PHP project allows attackers to execute arbitra
3310	CVE-2023-41530	0.04%	10.2th	9.8	This SQL injection vulnerability in Hospital Management System v4 allows attackers to execute arbitr
3311	CVE-2023-41527	0.04%	10.2th	9.8	This SQL injection vulnerability in Hospital Management System v4 allows attackers to execute arbitr
3312	CVE-2023-41525	0.04%	10.2th	9.8	Hospital Management System v4 contains a SQL injection vulnerability in the patient_contact paramete
3313	CVE-2025-41375	0.04%	10.2th	9.8	A SQL injection vulnerability in LimeSurvey v2.65.1+170522 allows attackers to manipulate database q
3314	CVE-2024-13151	0.04%	10.5th	9.8	This SQL injection vulnerability in ESBI Auto Service Software allows attackers to execute arbitrary
3315	CVE-2026-0509	0.04%	10.6th	9.6	This vulnerability allows authenticated low-privileged users in SAP NetWeaver ABAP systems to execut
3316	CVE-2025-13032	0.04%	10.5th	9.9	A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l
3317	CVE-2025-65827	0.04%	10.2th	9.1	This CVE describes a mobile application vulnerability where the app allows clear text HTTP traffic t
3318	CVE-2026-21855	0.04%	10.3th	9.3	CVE-2026-21855 is a reflected Cross-Site Scripting (XSS) vulnerability in Tarkov Data Manager's toas
3319	CVE-2025-40682	0.04%	10.1th	9.8	This SQL injection vulnerability in Human Resource Management System version 1.0 allows attackers to
3320	CVE-2025-54720	0.04%	9.8th	9.3	This SQL injection vulnerability in the SteelThemes Nest Addons WordPress plugin allows attackers to
3321	CVE-2025-39496	0.04%	9.8th	9.3	This SQL injection vulnerability in the WooBeWoo Product Filter Pro WordPress plugin allows attacker
3322	CVE-2025-54726	0.04%	9.8th	9.3	This SQL injection vulnerability in the JS Archive List WordPress plugin allows attackers to execute
3323	CVE-2025-54048	0.04%	9.8th	9.3	This SQL injection vulnerability in the miniOrange Custom API for WordPress plugin allows attackers
3324	CVE-2025-54117	0.04%	10.1th	9.0	A stored cross-site scripting (XSS) vulnerability in NamelessMC's dashboard text editor allows authe
3325	CVE-2025-54707	0.04%	9.8th	9.3	This SQL injection vulnerability in the RealMag777 MDTF WordPress plugin allows attackers to execute
3326	CVE-2025-54678	0.04%	9.8th	9.3	This SQL injection vulnerability in the Easy Form Builder WordPress plugin allows attackers to execu
3327	CVE-2025-54669	0.04%	9.8th	9.3	This SQL injection vulnerability in the MapSVG WordPress plugin allows attackers to execute arbitrar
3328	CVE-2025-52720	0.04%	9.8th	9.3	This SQL injection vulnerability in the Super Store Finder WordPress plugin allows attackers to exec
3329	CVE-2025-49059	0.04%	9.8th	9.3	This SQL injection vulnerability in the CleverReach® WP WordPress plugin allows attackers to execut
3330	CVE-2025-56557	0.04%	10th	9.1	This vulnerability in the Tuya Smart Life App allows attackers to gain unauthorized control over Mat
3331	CVE-2025-58628	0.04%	9.8th	9.3	This SQL injection vulnerability in the Miraculous WordPress theme allows attackers to execute arbit
3332	CVE-2025-66719	0.04%	9.7th	9.1	This vulnerability in Free5gc NRF 1.4.0 allows attackers to bypass scope validation during access to
3333	CVE-2025-41034	0.04%	10.1th	9.8	An SQL injection vulnerability in appRain CMF 4.0.5 allows attackers to manipulate database queries
3334	CVE-2025-41032	0.04%	10.1th	9.8	An SQL injection vulnerability in appRain CMF 4.0.5 allows attackers to manipulate database queries
3335	CVE-2025-69564	0.04%	10.1th	9.8	CVE-2025-69564 is a critical SQL injection vulnerability in code-projects Mobile Shop Management Sys
3336	CVE-2026-0920	0.04%	9.7th	9.8	The LA-Studio Element Kit for Elementor WordPress plugin allows unauthenticated attackers to create
3337	CVE-2021-47875	0.04%	9.8th	9.8	GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to
3338	CVE-2026-1699	0.04%	9.8th	10.0	This CVE describes a critical GitHub Actions vulnerability in Eclipse Theia's website repository whe
3339	CVE-2025-24973	0.03%	9.6th	9.3	This vulnerability in Concorde (formerly Nexkey) allows authentication credentials to persist in coo
3340	CVE-2025-39601	0.03%	9.6th	9.6	A Cross-Site Request Forgery (CSRF) vulnerability in the WPFactory Custom CSS, JS & PHP WordPress pl
3341	CVE-2025-41236	0.03%	9.5th	9.3	This CVE describes an integer-overflow vulnerability in VMware's VMXNET3 virtual network adapter tha
3342	CVE-2025-21450	0.03%	9.6th	9.1	This vulnerability allows attackers to intercept or manipulate data during downloads due to insecure
3343	CVE-2025-26496	0.03%	9.6th	9.3	This CVE describes a type confusion vulnerability in Salesforce Tableau's file upload modules that a
3344	CVE-2025-60156	0.03%	9.5th	9.6	A Cross-Site Request Forgery (CSRF) vulnerability in the AR For WordPress plugin allows attackers to
3345	CVE-2025-58255	0.03%	9.5th	9.6	A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Custom Post Type Images plugin al
3346	CVE-2025-44594	0.03%	9.6th	9.1	This SSRF vulnerability in halo allows attackers to make the server send arbitrary HTTP requests to
3347	CVE-2025-59159	0.03%	9.7th	9.6	SillyTavern versions before 1.13.4 are vulnerable to DNS rebinding attacks, allowing attackers to by
3348	CVE-2025-53214	0.03%	9.7th	9.1	This CVE describes a Missing Authorization vulnerability in the Sertifier Certificate & Badge Maker
3349	CVE-2025-52024	0.03%	9.4th	9.4	The Aptsys POS Platform Web Services module exposes internal API testing tools to unauthenticated us
3350	CVE-2025-3500	0.03%	9.5th	9.0	An integer overflow vulnerability in Avast Antivirus for Windows allows attackers to escalate privil

← Previous Page 67 of 70 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free