Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
3651	CVE-2024-56955	0.09%	25th	6.5	This vulnerability in QQMail iOS app allows attackers to access sensitive user information by tricki
3652	CVE-2024-56953	0.09%	25th	6.5	This vulnerability in Baidu Input Method for iOS allows attackers to access user information by tric
3653	CVE-2024-56951	0.09%	25th	6.5	This vulnerability in UU Game Booster iOS app allows attackers to access sensitive user information
3654	CVE-2024-56949	0.09%	25th	6.5	This vulnerability in University Search iOS app allows attackers to access sensitive user informatio
3655	CVE-2024-56947	0.09%	25th	6.5	This vulnerability in BeautyCam iOS app allows attackers to access sensitive user information by tri
3656	CVE-2025-24740	0.09%	24.9th	4.7	This vulnerability allows attackers to redirect users from a legitimate LearnPress WordPress plugin
3657	CVE-2025-21570	0.09%	25th	6.1	This vulnerability in Oracle Life Sciences Argus Safety 8.2.3 allows unauthenticated attackers with
3658	CVE-2025-21512	0.09%	25th	6.1	This vulnerability in Oracle JD Edwards EnterpriseOne Tools allows unauthenticated attackers to mani
3659	CVE-2024-45647	0.09%	24.9th	5.6	This vulnerability in IBM Security Verify Access allows unauthenticated attackers to reset passwords
3660	CVE-2024-47106	0.09%	24.9th	5.3	IBM Jazz for Service Management versions 1.1.3 through 1.1.3.22 have improper access restrictions th
3661	CVE-2024-13268	0.09%	24.9th	6.8	This CVE describes a static code injection vulnerability in Drupal Opigno that allows PHP local file
3662	CVE-2025-24318	0.09%	25th	6.8	This vulnerability allows attackers to observe cookie policies through built-in browser developer to
3663	CVE-2025-1692	0.09%	25th	6.3	This vulnerability allows attackers to inject malicious code into MongoDB Shell (mongosh) through cl
3664	CVE-2024-7052	0.09%	24.9th	4.8	This vulnerability allows administrators in WordPress multisite installations to inject malicious sc
3665	CVE-2024-13843	0.09%	25.1th	6.0	This vulnerability allows local authenticated administrators on Ivanti Connect Secure and Policy Sec
3666	CVE-2024-47770	0.09%	24.9th	4.6	This vulnerability in Wazuh allows attackers with no privilege access to view the agent list on the
3667	CVE-2025-30450	0.09%	25th	5.5	A macOS vulnerability involving improper symlink validation allows applications to access sensitive
3668	CVE-2025-30609	0.09%	25.1th	5.3	This vulnerability allows attackers to retrieve embedded sensitive data from the AppExperts WordPres
3669	CVE-2024-11821	0.09%	25th	4.3	A privilege escalation vulnerability in langgenius/dify version 0.9.1 allows normal users to modify
3670	CVE-2024-55009	0.09%	24.9th	6.1	A reflected cross-site scripting (XSS) vulnerability in AutoBib allows attackers to inject malicious
3671	CVE-2025-1620	0.09%	24.9th	4.8	This vulnerability in the GDPR Cookie Compliance WordPress plugin allows administrators to inject ma
3672	CVE-2024-13602	0.09%	24.9th	4.8	The Poll Maker WordPress plugin before version 5.5.4 contains a stored cross-site scripting (XSS) vu
3673	CVE-2025-28015	0.09%	25th	5.3	A HTML injection vulnerability in PHPGurukul User Registration & Login and User Management System V3
3674	CVE-2025-0629	0.09%	24.9th	4.8	This vulnerability in the Coronavirus (COVID-19) Notice Message WordPress plugin allows administrato
3675	CVE-2025-1917	0.09%	25th	4.3	This vulnerability allows attackers to spoof browser UI elements in Google Chrome on Android, potent
3676	CVE-2024-53384	0.09%	24.9th	5.1	This DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to inject malicious scripts that c
3677	CVE-2024-38426	0.09%	25th	5.4	This vulnerability in Qualcomm UE (User Equipment) authentication processing allows improper authent
3678	CVE-2024-10306	0.09%	25th	5.4	This vulnerability in mod_proxy_cluster allows unauthorized access to MCMP (Mod-Cluster Management P
3679	CVE-2025-39472	0.09%	25th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the WPWeb WooCommerce Social Login WordPress pl
3680	CVE-2025-32280	0.09%	25th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in weDevs WP Project Manager allows attackers to t
3681	CVE-2025-5290	0.09%	24.9th	6.4	The Borderless Elementor Addons plugin for WordPress has a stored XSS vulnerability in the 'title' p
3682	CVE-2024-49350	0.09%	24.9th	6.5	IBM Db2 databases running vulnerable versions can be crashed by sending specially crafted queries, c
3683	CVE-2025-5162	0.09%	25th	6.3	This critical vulnerability in H3C SecCenter SMP-E1114P02 allows remote attackers to upload arbitrar
3684	CVE-2025-4808	0.09%	25th	6.3	This critical SQL injection vulnerability in PHPGurukul Park Ticketing Management System 2.0 allows
3685	CVE-2025-4781	0.09%	25th	6.3	A critical SQL injection vulnerability exists in PHPGurukul Park Ticketing Management System 2.0 thr
3686	CVE-2024-8702	0.09%	25th	4.8	The Backup Database WordPress plugin through version 4.9 contains a stored cross-site scripting (XSS
3687	CVE-2025-47888	0.09%	25th	5.9	The Jenkins DingTalk Plugin 2.7.3 and earlier disables SSL/TLS certificate validation for DingTalk w
3688	CVE-2024-11390	0.09%	25th	5.4	This vulnerability allows attackers to upload malicious HTML/JavaScript files through Kibana's Synth
3689	CVE-2025-52054	0.09%	24.9th	5.3	This vulnerability allows unauthenticated attackers to calculate the root password of Tenda AC8 rout
3690	CVE-2025-51488	0.09%	25th	4.9	A stored XSS vulnerability in MoonShine versions before 3.12.4 allows attackers to inject malicious
3691	CVE-2025-47808	0.09%	25th	5.6	A NULL pointer dereference vulnerability in GStreamer's subparse plugin can cause application crashe
3692	CVE-2023-21473	0.09%	25th	6.8	This vulnerability allows a physical attacker with USB access to execute arbitrary code in the bootl
3693	CVE-2023-21472	0.09%	25th	6.8	This vulnerability allows a physical attacker with USB access to execute arbitrary code in the bootl
3694	CVE-2025-60852	0.09%	24.9th	6.5	A CSV injection vulnerability in Instant Developer Foundation allows attackers to embed malicious fo
3695	CVE-2019-25312	0.09%	24.9th	5.4	CVE-2019-25312 is a persistent cross-site scripting (XSS) vulnerability in InoERP 0.7.2 that allows
3696	CVE-2025-11842	0.09%	25th	6.3	CVE-2025-11842 is a path traversal vulnerability in Shazwazza Smidge's Bundle Handler component that
3697	CVE-2025-58591	0.09%	25th	6.5	This vulnerability allows remote attackers to brute-force directory and file paths to access sensiti
3698	CVE-2025-58590	0.09%	25th	6.5	This vulnerability allows attackers to brute-force directory and file paths, potentially exposing se
3699	CVE-2025-0642	0.09%	24.9th	6.3	This vulnerability in PosCube Assist software allows attackers to bypass authentication using hard-c
3700	CVE-2025-26391	0.09%	24.9th	5.4	SolarWinds Observability Self-Hosted contains a cross-site scripting (XSS) vulnerability in user-cre

← Previous Page 74 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free