Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
4551	CVE-2025-25908	0.07%	21.2th	5.4	A stored cross-site scripting (XSS) vulnerability in tianti v2.3 allows attackers to inject maliciou
4552	CVE-2025-4111	0.07%	21.2th	6.3	This critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System 1.0 allows remo
4553	CVE-2025-3849	0.07%	21.5th	4.3	This vulnerability allows remote attackers to change student passwords without proper verification i
4554	CVE-2025-20256	0.07%	21.5th	6.5	This vulnerability allows authenticated administrators on Cisco Secure Network Analytics Manager and
4555	CVE-2024-12561	0.07%	21.3th	6.1	This vulnerability allows unauthenticated attackers to redirect WordPress users to malicious website
4556	CVE-2025-4980	0.07%	21.4th	5.3	This vulnerability in Netgear DGND3700 routers allows remote attackers to access sensitive informati
4557	CVE-2025-4806	0.07%	21.5th	6.3	This critical SQL injection vulnerability in SourceCodester/oretnom23 Stock Management System 1.0 al
4558	CVE-2025-4786	0.07%	21.5th	6.3	This critical SQL injection vulnerability in SourceCodester/oretnom23 Stock Management System 1.0 al
4559	CVE-2025-4701	0.07%	21.3th	5.3	This vulnerability in VITA-MLLM Freeze-Omni allows arbitrary code execution through unsafe deseriali
4560	CVE-2025-4695	0.07%	21.5th	6.3	This critical SQL injection vulnerability in PHPGurukul/Campcodes Cyber Cafe Management System 1.0 a
4561	CVE-2025-4541	0.07%	21.5th	6.3	This critical SQL injection vulnerability in LmxCMS 1.41 allows remote attackers to execute arbitrar
4562	CVE-2025-4535	0.07%	21.3th	5.3	This vulnerability in Gosuncn Technology Group Audio-Visual Integrated Management Platform 4.0 allow
4563	CVE-2025-29746	0.07%	21.3th	6.1	A Cross-Site Scripting (XSS) vulnerability in Koillection v1.6.10 allows remote attackers to inject
4564	CVE-2025-6774	0.07%	21.4th	6.3	This critical path traversal vulnerability in gooaclok819 sublinkX allows attackers to access arbitr
4565	CVE-2025-6528	0.07%	21.5th	4.3	This vulnerability allows unauthenticated access to live video streams from 70mai M300 dash cameras.
4566	CVE-2025-4571	0.07%	21.3th	5.4	The GiveWP WordPress plugin has an authorization bypass vulnerability that allows authenticated user
4567	CVE-2025-33035	0.07%	21.4th	6.5	A path traversal vulnerability in QNAP File Station 5 allows authenticated attackers to read arbitra
4568	CVE-2025-36071	0.07%	21.4th	6.5	IBM Db2 database servers running vulnerable versions can crash when processing specially crafted que
4569	CVE-2024-51473	0.07%	21.4th	6.5	IBM Db2 database servers are vulnerable to denial of service attacks where a specially crafted query
4570	CVE-2025-54139	0.07%	21.5th	4.3	HAX CMS versions 11.0.12 and below (NodeJS) and 11.0.7 and below (PHP) lack X-Frame-Options headers,
4571	CVE-2025-6465	0.07%	21.4th	4.3	This vulnerability allows authenticated users with file upload permissions to overwrite file attachm
4572	CVE-2025-43749	0.07%	21.4th	5.3	This vulnerability allows unauthenticated users (guests) to access files uploaded via forms and stor
4573	CVE-2025-5468	0.07%	21.3th	5.5	This vulnerability allows authenticated local attackers to read arbitrary files on disk through impr
4574	CVE-2025-54638	0.07%	21.2th	5.5	This vulnerability involves inconsistent read/write serialization in the ad module, which could allo
4575	CVE-2025-54804	0.07%	21.4th	6.5	This vulnerability in the Russh SSH library allows integer overflow when processing SSH channel wind
4576	CVE-2025-11103	0.07%	21.3th	4.7	This vulnerability allows remote attackers to upload arbitrary files to the Projectworlds Online Tou
4577	CVE-2025-55554	0.07%	21.3th	5.3	PyTorch v2.8.0 contains an integer overflow vulnerability in torch.nan_to_num-.long() that could all
4578	CVE-2025-43814	0.07%	21.2th	6.5	This vulnerability allows remote authenticated users to view password reminder answers through audit
4579	CVE-2025-59581	0.07%	21.5th	6.5	This CVE describes a Missing Authorization vulnerability in VW THEMES Ibtana WordPress plugin that a
4580	CVE-2025-10765	0.07%	21.3th	4.7	This vulnerability allows remote attackers to perform server-side request forgery (SSRF) attacks aga
4581	CVE-2025-10760	0.07%	21.2th	6.3	This CVE describes a server-side request forgery (SSRF) vulnerability in Harness 3.3.0 that allows a
4582	CVE-2025-10741	0.07%	21.2th	6.3	This vulnerability in Selleo Mentingo allows attackers to upload arbitrary files via the Profile Pic
4583	CVE-2025-12041	0.07%	21.2th	5.3	The ERI File Library WordPress plugin up to version 1.1.0 has an authorization bypass vulnerability
4584	CVE-2025-12203	0.07%	21.3th	6.3	This CVE describes a path traversal vulnerability in givanz Vvveb CMS up to version 1.0.7.3. Attacke
4585	CVE-2025-10694	0.07%	21.2th	5.3	This vulnerability allows unauthenticated attackers to access the User Feedback plugin's onboarding
4586	CVE-2025-62648	0.07%	21.4th	6.4	This vulnerability in the Restaurant Brands International (RBI) assistant platform allows remote att
4587	CVE-2025-59268	0.07%	21.3th	5.3	This vulnerability allows unauthenticated remote attackers to access undisclosed endpoints containin
4588	CVE-2025-62358	0.07%	21.5th	5.4	CVE-2025-62358 is a reflected cross-site scripting (XSS) vulnerability in WeGIA web management softw
4589	CVE-2025-60868	0.07%	21.3th	6.5	The Alt Redirect 1.6.3 addon for Statamic fails to properly sanitize query string parameters when th
4590	CVE-2025-60314	0.07%	21.3th	5.4	Configuroweb Sistema Web de Inventario 1.0 has a stored XSS vulnerability in the product name parame
4591	CVE-2025-11330	0.07%	21.3th	6.3	This SQL injection vulnerability in PHPGurukul Beauty Parlour Management System 1.1 allows attackers
4592	CVE-2025-9914	0.07%	21.4th	4.3	This vulnerability allows attackers to use stored user credentials from the local database to gain u
4593	CVE-2025-11320	0.07%	21.2th	6.3	This vulnerability allows remote attackers to upload arbitrary files without restrictions in the wis
4594	CVE-2025-11272	0.07%	21.3th	5.4	This vulnerability in SeriaWei ZKEACMS allows unauthorized deletion of URL redirection entries throu
4595	CVE-2025-53407	0.07%	21.4th	6.5	A format string vulnerability in QNAP operating systems allows attackers with administrator access t
4596	CVE-2025-12778	0.07%	21.2th	5.3	This vulnerability allows unauthenticated attackers to extract partial metadata of all WordPress use
4597	CVE-2025-12891	0.07%	21.2th	5.3	The Survey Maker WordPress plugin has an authentication bypass vulnerability that allows unauthentic
4598	CVE-2025-12979	0.07%	21.2th	5.3	The Welcart e-Commerce plugin for WordPress has an authentication bypass vulnerability that allows u
4599	CVE-2025-62453	0.07%	21.5th	5.0	This vulnerability allows an authorized attacker to bypass local security features in GitHub Copilot
4600	CVE-2025-13013	0.07%	21.2th	6.1	This CVE describes a mitigation bypass vulnerability in the DOM: Core & HTML component of Mozilla pr

← Previous Page 92 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free