Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
3801	CVE-2025-27155	0.09%	24.6th	6.1	Pinecone Simulator (pineconesim) up to commit ea4c337 is vulnerable to stored cross-site scripting (
3802	CVE-2025-4998	0.09%	24.7th	6.5	This vulnerability in H3C Magic R200G routers allows remote attackers to cause denial of service by
3803	CVE-2024-56526	0.09%	24.5th	4.9	A vulnerability in OXID eShop allows CMS pages with Smarty syntax errors to display user information
3804	CVE-2025-49190	0.09%	24.6th	4.3	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in SICK industrial automation
3805	CVE-2025-5084	0.09%	24.6th	6.1	The Post Grid Master WordPress plugin has a reflected cross-site scripting vulnerability that allows
3806	CVE-2025-61586	0.09%	24.5th	5.3	FreshRSS versions 1.26.3 and below contain a path traversal vulnerability in the theme field that al
3807	CVE-2025-53799	0.09%	24.5th	5.5	CVE-2025-53799 is an information disclosure vulnerability in Windows Imaging Component where uniniti
3808	CVE-2025-55325	0.09%	24.7th	5.5	This CVE describes a buffer over-read vulnerability in Windows Storage Management Provider that allo
3809	CVE-2025-63713	0.09%	24.6th	6.1	This Cross-Site Scripting (XSS) vulnerability in SourceCodester MatchMaster 1.0 allows attackers to
3810	CVE-2026-25878	0.09%	24.6th	5.3	CVE-2026-25878 is an authentication bypass vulnerability in the FroshAdminer plugin for Shopware Pla
3811	CVE-2025-12728	0.09%	24.6th	4.2	This vulnerability allows attackers to spoof UI elements in Chrome's address bar (Omnibox) on Androi
3812	CVE-2025-12446	0.09%	24.6th	4.2	This vulnerability allows attackers to spoof the browser UI in Google Chrome's SplitView feature by
3813	CVE-2025-11213	0.09%	24.6th	6.3	This vulnerability allows attackers to spoof website domains in Chrome's address bar on Android devi
3814	CVE-2025-11212	0.09%	24.6th	6.3	This vulnerability in Google Chrome allows attackers to spoof website domains through crafted HTML p
3815	CVE-2025-11208	0.09%	24.6th	6.3	This vulnerability allows attackers to trick users into interacting with fake UI elements by convinc
3816	CVE-2026-2169	0.09%	24.7th	6.3	This vulnerability allows remote attackers to execute arbitrary commands on D-Link DWR-M921 routers
3817	CVE-2026-2168	0.09%	24.7th	6.3	This vulnerability allows remote attackers to execute arbitrary commands on D-Link DWR-M921 routers
3818	CVE-2021-47729	0.09%	24.6th	5.4	This stored cross-site scripting vulnerability in Selea Targa IP OCR-ANPR cameras allows attackers t
3819	CVE-2025-14757	0.09%	24.6th	5.3	This vulnerability allows unauthenticated attackers to mark any order's payment status as 'completed
3820	CVE-2026-1171	0.09%	24.6th	5.3	This vulnerability in birkir prime's GraphQL Field Handler allows remote attackers to cause denial o
3821	CVE-2026-1172	0.09%	24.6th	5.3	A denial-of-service vulnerability exists in birkir prime's GraphQL Directive Handler component, allo
3822	CVE-2024-57773	0.08%	24.4th	4.8	This cross-site scripting (XSS) vulnerability in JFinalOA allows attackers to inject malicious scrip
3823	CVE-2024-57771	0.08%	24.4th	4.8	This cross-site scripting (XSS) vulnerability in JFinalOA allows attackers to inject malicious scrip
3824	CVE-2024-56497	0.08%	24.4th	6.7	This CVE describes an OS command injection vulnerability in Fortinet FortiMail and FortiRecorder pro
3825	CVE-2024-56471	0.08%	24.3th	5.4	IBM Aspera Shares versions 1.9.0 through 1.10.0 PL6 contain a server-side request forgery (SSRF) vul
3826	CVE-2025-29929	0.08%	24.3th	4.6	This CSRF vulnerability in Tuleap allows attackers to trick authenticated users into unknowingly sub
3827	CVE-2025-29766	0.08%	24.3th	4.6	CVE-2025-29766 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap that allows attackers
3828	CVE-2025-31602	0.08%	24.4th	4.3	This CSRF vulnerability in the Apimo Connector WordPress plugin allows attackers to trick authentica
3829	CVE-2025-31600	0.08%	24.4th	4.3	This CSRF vulnerability in the DesignO WordPress plugin allows attackers to trick authenticated admi
3830	CVE-2025-31588	0.08%	24.4th	5.4	A Cross-Site Request Forgery (CSRF) vulnerability in the Elfsight Testimonials Slider WordPress plug
3831	CVE-2025-31572	0.08%	24.4th	4.3	This CSRF vulnerability in the WordPress Multi Days Events and Multi Events in One Day Calendar plug
3832	CVE-2025-31410	0.08%	24.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the WP Church Donation WordPress plugin allows
3833	CVE-2025-31474	0.08%	24.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the WP Database Optimizer WordPress plugin allo
3834	CVE-2025-31456	0.08%	24.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the Ultimate Security Checker WordPress plugin
3835	CVE-2025-31447	0.08%	24.4th	5.4	A Cross-Site Request Forgery (CSRF) vulnerability in the NertWorks All in One Social Share Tools Wor
3836	CVE-2025-31439	0.08%	24.4th	5.4	A Cross-Site Request Forgery (CSRF) vulnerability in the tobias_.MerZ Browser Caching with .htaccess
3837	CVE-2025-31079	0.08%	24.4th	4.3	This CSRF vulnerability in the Usermaven WordPress plugin allows attackers to trick authenticated ad
3838	CVE-2025-30872	0.08%	24.4th	4.3	This CSRF vulnerability in the Product Author for WooCommerce WordPress plugin allows attackers to t
3839	CVE-2025-30865	0.08%	24.4th	4.3	This Cross-Site Request Forgery (CSRF) vulnerability in the 3DPrint Lite WordPress plugin allows att
3840	CVE-2025-30863	0.08%	24.4th	4.3	This CSRF vulnerability in CRM Perks Integration for Google Sheets and Contact Form 7, WPForms, Elem
3841	CVE-2025-30856	0.08%	24.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the Custom Field For WP Job Manager WordPress p
3842	CVE-2025-30823	0.08%	24.4th	4.3	This Cross-Site Request Forgery (CSRF) vulnerability in the Anthologize WordPress plugin allows atta
3843	CVE-2025-30815	0.08%	24.4th	4.3	This CSRF vulnerability in the Hesabfa Accounting WordPress plugin allows attackers to trick authent
3844	CVE-2025-30811	0.08%	24.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the ValidateCertify WordPress plugin allows att
3845	CVE-2025-30804	0.08%	24.4th	4.3	This Cross-Site Request Forgery (CSRF) vulnerability in the wpShopGermany IT-RECHT KANZLEI WordPress
3846	CVE-2025-30801	0.08%	24.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the TWB Woocommerce Reviews WordPress plugin al
3847	CVE-2025-30764	0.08%	24.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the AntoineH Football Pool WordPress plugin all
3848	CVE-2024-11847	0.08%	24.4th	4.8	The wp-svg-upload WordPress plugin through version 1.0.0 fails to sanitize SVG file contents, allowi
3849	CVE-2025-2711	0.08%	24.4th	4.3	This vulnerability in Yonyou UFIDA ERP-NC 5.0 allows attackers to inject malicious scripts via the l
3850	CVE-2025-30585	0.08%	24.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Generate Post Thumbnails plugin a

← Previous Page 77 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free