Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 4151 | CVE-2024-49355 |
|
22.9th | 5.3 | IBM OpenPages with Watson versions 8.3 and 9.0 may write improperly neutralized data to server log f | |
| 4152 | CVE-2024-13799 |
|
22.9th | 6.4 | This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to in | |
| 4153 | CVE-2024-13667 |
|
22.8th | 5.4 | The Uncode WordPress theme has a stored cross-site scripting vulnerability that allows authenticated | |
| 4154 | CVE-2024-13465 |
|
22.8th | 6.4 | The aBlocks WordPress plugin has a stored XSS vulnerability in its Table Of Content block that allow | |
| 4155 | CVE-2024-13582 |
|
22.8th | 6.4 | This stored XSS vulnerability in the Simple Pricing Tables For WPBakery Page Builder WordPress plugi | |
| 4156 | CVE-2024-13579 |
|
22.8th | 6.4 | The WP-Asambleas WordPress plugin has a stored XSS vulnerability in its 'polls_popup' shortcode that | |
| 4157 | CVE-2024-13577 |
|
22.8th | 6.4 | The CATS Job Listings WordPress plugin has a stored XSS vulnerability that allows authenticated atta | |
| 4158 | CVE-2024-13573 |
|
22.8th | 6.4 | This vulnerability allows authenticated WordPress users with contributor-level access or higher to i | |
| 4159 | CVE-2024-13464 |
|
22.8th | 6.4 | This stored XSS vulnerability in the Library Bookshelves WordPress plugin allows authenticated attac | |
| 4160 | CVE-2024-12525 |
|
22.8th | 6.4 | This stored XSS vulnerability in the Easy MLS Listings Import WordPress plugin allows authenticated | |
| 4161 | CVE-2025-0506 |
|
22.8th | 6.4 | This vulnerability allows authenticated attackers with at least Contributor-level access in WordPres | |
| 4162 | CVE-2024-13459 |
|
22.8th | 6.4 | The FuseDesk WordPress plugin has a stored XSS vulnerability that allows authenticated attackers wit | |
| 4163 | CVE-2024-13658 |
|
22.8th | 6.4 | The NGG Smart Image Search WordPress plugin has a stored XSS vulnerability that allows authenticated | |
| 4164 | CVE-2024-53648 |
|
22.8th | 6.8 | This vulnerability affects multiple Siemens SIPROTEC 5 protection relay devices. It allows unauthent | |
| 4165 | CVE-2025-1162 |
|
23th | 6.3 | A critical SQL injection vulnerability in code-projects Job Recruitment 1.0 allows remote attackers | |
| 4166 | CVE-2025-22683 |
|
22.9th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress NotificationX plugin allows at | |
| 4167 | CVE-2024-13547 |
|
22.8th | 6.4 | This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i | |
| 4168 | CVE-2025-1798 |
|
23th | 6.1 | This stored cross-site scripting (XSS) vulnerability allows unauthenticated attackers to inject mali | |
| 4169 | CVE-2024-10565 |
|
22.9th | 6.1 | The Slider by 10Web WordPress plugin before version 1.2.62 contains a stored cross-site scripting (X | |
| 4170 | CVE-2025-0281 |
|
22.9th | 5.4 | A stored cross-site scripting vulnerability in lunary-ai/lunary allows attackers to inject malicious | |
| 4171 | CVE-2024-11850 |
|
22.9th | 5.4 | A stored cross-site scripting (XSS) vulnerability in langgenius/dify allows attackers to inject mali | |
| 4172 | CVE-2025-2419 |
|
23th | 6.3 | This critical SQL injection vulnerability in Real Estate Property Management System 1.0 allows attac | |
| 4173 | CVE-2025-2390 |
|
22.8th | 6.3 | A critical SQL injection vulnerability in Blood Bank Management System 1.0 allows attackers to execu | |
| 4174 | CVE-2025-29429 |
|
22.9th | 6.1 | This CVE describes a Cross-Site Scripting (XSS) vulnerability in Code-projects Online Class and Exam | |
| 4175 | CVE-2025-2384 |
|
23th | 6.3 | This critical SQL injection vulnerability in Real Estate Property Management System 1.0 allows remot | |
| 4176 | CVE-2025-28870 |
|
22.9th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in amoCRM WebForm allows attackers to inject | |
| 4177 | CVE-2021-37787 |
|
23th | 6.5 | This SQL injection vulnerability in ABO.CMS allows attackers to execute arbitrary SQL commands throu | |
| 4178 | CVE-2025-1664 |
|
22.8th | 6.4 | This stored XSS vulnerability in the Essential Blocks WordPress plugin allows authenticated attacker | |
| 4179 | CVE-2025-1261 |
|
22.8th | 6.4 | This vulnerability allows authenticated attackers with contributor-level access or higher to inject | |
| 4180 | CVE-2025-24887 |
|
23th | 6.3 | OpenCTI versions 6.4.8 through 6.4.9 contain an authorization bypass vulnerability that allows authe | |
| 4181 | CVE-2025-38049 |
|
23th | 5.5 | A NULL pointer dereference vulnerability in the Linux kernel's x86 resctrl subsystem occurs when cre | |
| 4182 | CVE-2025-39563 |
|
23th | 6.5 | This CSRF vulnerability in WP Trio Conditional Payments for WooCommerce allows attackers to trick au | |
| 4183 | CVE-2024-8243 |
|
22.8th | 6.3 | This vulnerability in the WordPress Upgrade Time Out Plugin allows attackers to perform Cross-Site R | |
| 4184 | CVE-2024-8492 |
|
22.9th | 4.8 | The Hustle WordPress plugin through version 7.8.5 contains a stored cross-site scripting (XSS) vulne | |
| 4185 | CVE-2024-6798 |
|
22.9th | 4.8 | The DL Verification WordPress plugin through version 1.2 contains a stored cross-site scripting (XSS | |
| 4186 | CVE-2024-6462 |
|
22.9th | 4.8 | The DL Yandex Metrika WordPress plugin through version 1.2 contains a stored cross-site scripting (X | |
| 4187 | CVE-2024-11190 |
|
22.9th | 4.8 | The jwp-a11y WordPress plugin through version 4.1.7 contains a stored cross-site scripting (XSS) vul | |
| 4188 | CVE-2025-28168 |
|
22.8th | 6.4 | CVE-2025-28168 is an unrestricted file upload vulnerability in the Multiple File Upload add-on for O | |
| 4189 | CVE-2025-5510 |
|
22.9th | 6.3 | This critical SSRF vulnerability in quequnlong shiyi-blog allows attackers to make the server send u | |
| 4190 | CVE-2025-5406 |
|
22.9th | 6.3 | This critical vulnerability in Blogbook allows remote attackers to upload arbitrary files without re | |
| 4191 | CVE-2025-45156 |
|
22.8th | 5.3 | Splashin iOS v2.0 fails to properly enforce server-side interval restrictions for location updates f | |
| 4192 | CVE-2025-50082 |
|
22.9th | 6.5 | This vulnerability in MySQL Server's optimizer component allows authenticated attackers with low pri | |
| 4193 | CVE-2025-47963 |
|
22.9th | 6.3 | This vulnerability in Microsoft Edge (Chromium-based) allows unauthorized attackers to perform spoof | |
| 4194 | CVE-2025-35033 |
|
22.9th | 4.1 | Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows auth | |
| 4195 | CVE-2025-36351 |
|
22.8th | 4.3 | This vulnerability in IBM License Metric Tool allows authenticated users to bypass access controls i | |
| 4196 | CVE-2025-57899 |
|
22.9th | 5.3 | This CVE describes a missing authorization vulnerability in the WP Compress WordPress plugin that al | |
| 4197 | CVE-2025-59417 |
|
22.9th | 6.1 | Lobe Chat versions before 1.129.4 contain a cross-site scripting (XSS) vulnerability in the SVG rend | |
| 4198 | CVE-2025-10042 |
|
22.9th | 5.9 | The Quiz Maker WordPress plugin is vulnerable to SQL injection via spoofed IP headers in versions up | |
| 4199 | CVE-2023-21467 |
|
22.9th | 4.6 | This vulnerability in Samsung Exynos baseband chips allows incorrect handling of unencrypted message | |
| 4200 | CVE-2025-11497 |
|
22.9th | 4.3 | This CSRF vulnerability in the Advanced Database Cleaner WordPress plugin allows unauthenticated att |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free