Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
4451	CVE-2025-40640	0.07%	21.8th	5.4	A stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 allows attackers to inject mal
4452	CVE-2025-43824	0.07%	21.8th	5.4	This vulnerability allows authenticated users to manipulate file extensions when downloading vCard f
4453	CVE-2025-40991	0.07%	21.8th	5.4	A stored cross-site scripting (XSS) vulnerability in Ekushey CRM v5.0 allows attackers to inject mal
4454	CVE-2025-40990	0.07%	21.8th	5.4	A stored cross-site scripting (XSS) vulnerability in Ekushey CRM v5.0 allows attackers to inject mal
4455	CVE-2025-40989	0.07%	21.8th	5.4	A stored cross-site scripting (XSS) vulnerability in Ekushey CRM v5.0 allows attackers to inject mal
4456	CVE-2025-40646	0.07%	21.8th	5.4	A stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 allows attackers to inject mal
4457	CVE-2025-63214	0.07%	21.9th	6.5	This vulnerability allows unauthorized attackers to create and delete arbitrary user accounts in bri
4458	CVE-2025-64739	0.07%	21.9th	4.3	This vulnerability in Zoom Clients allows unauthenticated attackers to control file paths, potential
4459	CVE-2025-5718	0.07%	21.9th	6.8	This CVE describes a privilege escalation vulnerability in the ACAP Application framework through sy
4460	CVE-2025-43504	0.07%	21.9th	4.9	A buffer overflow vulnerability in Xcode allows attackers in privileged network positions to cause d
4461	CVE-2025-13093	0.07%	21.8th	5.3	The Devs CRM WordPress plugin has a missing capability check on its bulk-update REST API endpoint, a
4462	CVE-2025-65293	0.07%	21.9th	6.6	This CVE describes a command injection vulnerability in Aqara Camera Hub G3 devices that allows atta
4463	CVE-2025-12832	0.07%	21.7th	4.6	This CVE describes a server-side request forgery (SSRF) vulnerability in IBM InfoSphere Information
4464	CVE-2025-66577	0.07%	21.8th	5.3	This vulnerability in cpp-httplib allows attackers to spoof client IP addresses by sending malicious
4465	CVE-2025-65841	0.07%	22th	6.2	Aquarius Desktop 3.0.069 for macOS stores user credentials in a local file using weak obfuscation th
4466	CVE-2025-58478	0.07%	21.9th	4.3	This vulnerability allows remote attackers to write data outside the intended memory boundaries in S
4467	CVE-2025-58477	0.07%	21.9th	4.3	This vulnerability allows remote attackers to write outside the bounds of allocated memory when pars
4468	CVE-2026-1036	0.07%	21.8th	5.3	This vulnerability in the Photo Gallery by 10WordPress plugin allows unauthenticated attackers to de
4469	CVE-2026-20876	0.07%	21.9th	6.7	A heap-based buffer overflow vulnerability in Windows Virtualization-Based Security (VBS) Enclave al
4470	CVE-2025-13419	0.07%	21.8th	5.3	This vulnerability in the WP Front User Submit WordPress plugin allows unauthenticated attackers to
4471	CVE-2025-63686	0.07%	21.9th	6.5	This CVE describes an arbitrary file download vulnerability in GuoMinJim PersonManage software. Atta
4472	CVE-2024-10026	0.07%	21.7th	5.3	This vulnerability in Google's gVisor container runtime allows remote attackers to calculate a local
4473	CVE-2024-57272	0.07%	21.7th	6.1	This vulnerability allows attackers to inject malicious scripts into SecuSTATION Camera web interfac
4474	CVE-2024-56923	0.07%	21.5th	5.4	A stored cross-site scripting (XSS) vulnerability in Silverpeas Core allows remote attackers to inje
4475	CVE-2024-57537	0.07%	21.7th	6.3	A buffer overflow vulnerability in Linksys E8450 routers allows attackers to execute arbitrary code
4476	CVE-2024-55459	0.07%	21.7th	6.5	A vulnerability in Keras 3.7.0 allows attackers to write arbitrary files to a user's machine by expl
4477	CVE-2025-1746	0.07%	21.7th	6.1	This is a Cross-Site Scripting (XSS) vulnerability in OpenCart that allows attackers to execute mali
4478	CVE-2025-1537	0.07%	21.6th	6.3	This critical SQL injection vulnerability in Harpia DiagSystem 12 allows remote attackers to execute
4479	CVE-2024-0145	0.07%	21.5th	6.8	This vulnerability in NVIDIA's nvJPEG2000 library allows attackers to execute arbitrary code or tamp
4480	CVE-2024-0143	0.07%	21.5th	6.8	This vulnerability in NVIDIA's nvJPEG2000 library allows attackers to execute arbitrary code or tamp
4481	CVE-2024-0142	0.07%	21.5th	6.8	This vulnerability in NVIDIA's nvJPEG2000 library allows attackers to execute arbitrary code or tamp
4482	CVE-2025-20204	0.07%	21.5th	4.8	An authenticated cross-site scripting (XSS) vulnerability in Cisco ISE's web management interface al
4483	CVE-2025-26923	0.07%	21.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Event post WordPress plugin allows attac
4484	CVE-2025-26559	0.07%	21.6th	6.5	This reflected cross-site scripting (XSS) vulnerability in the WordPress Secure Invites plugin allow
4485	CVE-2025-26537	0.07%	21.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress GDPR Tools plugin allows attac
4486	CVE-2025-30553	0.07%	21.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the GMO Font Agent WordPress plugin allows a
4487	CVE-2025-0718	0.07%	21.6th	4.8	The Nested Pages WordPress plugin before version 3.2.13 contains a stored cross-site scripting (XSS)
4488	CVE-2025-2597	0.07%	21.7th	6.1	A reflected cross-site scripting (XSS) vulnerability in ITIUM 6050 version 5.5.5.2-b3526 allows atta
4489	CVE-2025-30092	0.07%	21.7th	6.1	This vulnerability allows cross-site scripting (XSS) attacks in Intrexx Portal Server through multip
4490	CVE-2025-26659	0.07%	21.7th	6.1	SAP NetWeaver Application Server ABAP has a DOM-based Cross-Site Scripting vulnerability where unaut
4491	CVE-2025-25245	0.07%	21.7th	5.4	SAP BusinessObjects Web Intelligence contains an insecure deprecated endpoint vulnerable to cross-si
4492	CVE-2025-25242	0.07%	21.7th	6.1	CVE-2025-25242 is a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABA
4493	CVE-2024-53698	0.07%	21.6th	4.9	A double free vulnerability in QNAP operating systems could allow remote attackers with administrato
4494	CVE-2025-26202	0.07%	21.6th	4.3	This CVE describes a stored Cross-Site Scripting (XSS) vulnerability in DZS router web interfaces. A
4495	CVE-2025-1797	0.07%	21.6th	6.3	This critical SQL injection vulnerability in Hunan Zhonghe Baiyi Information Technology's Baiyiyun A
4496	CVE-2025-29480	0.07%	21.6th	5.5	A buffer overflow vulnerability in GDAL 3.10.2's OGRSpatialReference::Release function allows a loca
4497	CVE-2025-29478	0.07%	21.6th	5.5	A local denial-of-service vulnerability in fluent-bit v3.7.2 allows attackers to crash the service b
4498	CVE-2025-21947	0.07%	21.6th	4.7	A race condition vulnerability in the Linux kernel's ksmbd component allows type confusion between I
4499	CVE-2025-21944	0.07%	21.6th	5.5	A race condition vulnerability in the Linux kernel's ksmbd SMB server implementation could cause a k
4500	CVE-2025-21931	0.07%	21.6th	5.5	A race condition vulnerability in the Linux kernel's memory hotplug subsystem where hardware-poisone

← Previous Page 90 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free