Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 4101 | CVE-2025-48081 |
|
23.1th | 5.3 | This path traversal vulnerability in the Printeers Print & Ship WordPress plugin allows attackers to | |
| 4102 | CVE-2025-55522 |
|
23.1th | 6.5 | This cross-site scripting vulnerability in Akaunting v3.1.18 allows attackers to inject malicious sc | |
| 4103 | CVE-2025-60020 |
|
23.2th | 6.4 | CVE-2025-60020 is a path traversal vulnerability in nncp (Node to Node Copy) that allows attackers t | |
| 4104 | CVE-2025-10771 |
|
23.2th | 6.3 | This vulnerability in jeecgboot JimuReport allows remote attackers to execute arbitrary code through | |
| 4105 | CVE-2025-11594 |
|
23.2th | 5.3 | This vulnerability in ywxbear PHP-Bookstore-Website-Example and PHP Basic BookStore Website allows r | |
| 4106 | CVE-2025-11346 |
|
23.2th | 6.3 | This CVE describes a remote deserialization vulnerability in ILIAS learning management systems. Atta | |
| 4107 | CVE-2025-57712 |
|
23.2th | 6.5 | A path traversal vulnerability in Qsync Central allows authenticated attackers to read arbitrary fil | |
| 4108 | CVE-2025-13080 |
|
23.1th | 5.3 | This vulnerability in Drupal core allows attackers to bypass access controls through forceful browsi | |
| 4109 | CVE-2025-8404 |
|
23th | 5.5 | This CVE describes a stack buffer overflow vulnerability in Supermicro BMC shared libraries that all | |
| 4110 | CVE-2025-42885 |
|
23.1th | 5.8 | CVE-2025-42885 is an authentication bypass vulnerability in SAP HANA 2.0's hdbrss component that all | |
| 4111 | CVE-2025-12906 |
|
23.2th | 5.4 | This vulnerability allows attackers to create deceptive UI elements in Google Chrome through crafted | |
| 4112 | CVE-2025-69210 |
|
23.2th | 5.4 | FacturaScripts versions before 2025.7 contain a stored cross-site scripting (XSS) vulnerability in t | |
| 4113 | CVE-2025-64872 |
|
23.1th | 4.8 | This stored XSS vulnerability in Adobe Experience Manager allows high-privileged attackers to inject | |
| 4114 | CVE-2025-13070 |
|
23.1th | 6.6 | The CSV to SortTable WordPress plugin through version 4.2 contains a Local File Inclusion (LFI) vuln | |
| 4115 | CVE-2025-1709 |
|
23.2th | 6.5 | This vulnerability exposes PostgreSQL database credentials stored in plain text (partially base64 en | |
| 4116 | CVE-2026-22917 |
|
23.1th | 4.3 | This vulnerability involves improper input handling in a system endpoint that allows attackers to se | |
| 4117 | CVE-2026-0571 |
|
23.1th | 4.3 | This CVE describes a path traversal vulnerability in the yeqifu warehouse software that allows attac | |
| 4118 | CVE-2025-0882 |
|
23th | 6.3 | This is a critical SQL injection vulnerability in code-projects Chat System version 1.0 and earlier. | |
| 4119 | CVE-2024-13700 |
|
22.8th | 6.4 | The Embed Swagger UI WordPress plugin has a stored XSS vulnerability in all versions up to 1.0.0. Au | |
| 4120 | CVE-2024-13664 |
|
22.8th | 6.4 | The WP Post List Table WordPress plugin has a stored cross-site scripting vulnerability that allows | |
| 4121 | CVE-2024-13549 |
|
22.8th | 6.4 | This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i | |
| 4122 | CVE-2024-13460 |
|
22.8th | 6.4 | The WE – Testimonial Slider WordPress plugin has a stored XSS vulnerability that allows authentica | |
| 4123 | CVE-2024-13527 |
|
22.8th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i | |
| 4124 | CVE-2024-12723 |
|
22.9th | 6.1 | This vulnerability in the Infility Global WordPress plugin allows attackers to inject malicious scri | |
| 4125 | CVE-2025-24746 |
|
22.9th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Popup Maker WordPress plugin allows atta | |
| 4126 | CVE-2025-24729 |
|
22.9th | 6.5 | This stored cross-site scripting (XSS) vulnerability in ElementInvader Addons for Elementor allows a | |
| 4127 | CVE-2025-24578 |
|
22.9th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in ElementInvader Addons for Elementor allow | |
| 4128 | CVE-2024-12078 |
|
22.9th | 6.3 | ECOVACS robot lawn mowers and vacuums use a static, shared secret key to encrypt Bluetooth Low Energ | |
| 4129 | CVE-2025-0450 |
|
22.8th | 6.4 | The Betheme WordPress plugin has a stored cross-site scripting (XSS) vulnerability that allows authe | |
| 4130 | CVE-2025-0371 |
|
22.8th | 6.4 | The JetElements WordPress plugin has a stored cross-site scripting vulnerability that allows authent | |
| 4131 | CVE-2025-0531 |
|
23th | 6.3 | This critical SQL injection vulnerability in code-projects Chat System 1.0 allows remote attackers t | |
| 4132 | CVE-2024-48885 |
|
22.9th | 5.3 | This path traversal vulnerability (CWE-22) in multiple Fortinet products allows attackers to escalat | |
| 4133 | CVE-2024-53563 |
|
22.9th | 5.4 | A stored cross-site scripting (XSS) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware allows att | |
| 4134 | CVE-2024-13294 |
|
22.9th | 5.4 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Drup | |
| 4135 | CVE-2024-13289 |
|
22.9th | 5.4 | This is a cross-site scripting (XSS) vulnerability in the Drupal Cookiebot + GTM module that allows | |
| 4136 | CVE-2024-13287 |
|
22.9th | 5.4 | This vulnerability allows attackers to inject malicious scripts into web pages generated by Drupal V | |
| 4137 | CVE-2025-22815 |
|
22.9th | 6.5 | This stored XSS vulnerability in the WordPress Button Block plugin allows attackers to inject malici | |
| 4138 | CVE-2024-10815 |
|
22.8th | 4.2 | The PostLists WordPress plugin through version 2.0.2 contains a reflected cross-site scripting (XSS) | |
| 4139 | CVE-2024-47475 |
|
22.8th | 5.0 | Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.x have incorrect permissions on critical system | |
| 4140 | CVE-2024-9019 |
|
22.8th | 6.4 | This vulnerability allows authenticated attackers with contributor-level access or higher to inject | |
| 4141 | CVE-2024-13469 |
|
22.8th | 6.4 | This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i | |
| 4142 | CVE-2024-53408 |
|
22.9th | 5.4 | AVE System Web Client v2.1.131.13992 contains a cross-site scripting (XSS) vulnerability that allows | |
| 4143 | CVE-2025-26884 |
|
22.9th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Greenshift WordPress plugin allows attac | |
| 4144 | CVE-2025-26877 |
|
22.9th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Rustaurius Front End Users WordPress plu | |
| 4145 | CVE-2024-12038 |
|
22.8th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i | |
| 4146 | CVE-2024-13455 |
|
22.8th | 6.4 | The igumbi Online Booking WordPress plugin has a stored cross-site scripting vulnerability that allo | |
| 4147 | CVE-2024-13461 |
|
22.8th | 6.4 | This stored XSS vulnerability in the Autoship Cloud for WooCommerce plugin allows authenticated atta | |
| 4148 | CVE-2025-1407 |
|
22.8th | 6.4 | The AMO Team Showcase WordPress plugin has a stored XSS vulnerability in all versions up to 1.1.4. A | |
| 4149 | CVE-2024-13751 |
|
22.8th | 6.4 | The 3D Photo Gallery WordPress plugin has a stored XSS vulnerability that allows authenticated attac | |
| 4150 | CVE-2024-13802 |
|
22.8th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free