Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
4601	CVE-2025-12042	0.07%	21.2th	5.3	The Course Booking System WordPress plugin allows unauthenticated attackers to directly access a CSV
4602	CVE-2025-66412	0.07%	21.2th	5.4	A stored cross-site scripting (XSS) vulnerability in Angular's template compiler allows attackers to
4603	CVE-2025-66303	0.07%	21.3th	4.9	A Denial of Service vulnerability in Grav allows attackers to disrupt the admin panel by submitting
4604	CVE-2026-22796	0.07%	21.5th	5.3	A type confusion vulnerability in OpenSSL's PKCS#7 signature verification allows attackers to cause
4605	CVE-2026-22911	0.07%	21.3th	5.3	This vulnerability exposes password hashes for system accounts within firmware update files. Remote
4606	CVE-2024-35134	0.07%	21th	5.3	IBM Analytics Content Hub 2.0 discloses sensitive technical error information to remote attackers vi
4607	CVE-2024-57545	0.07%	21.2th	5.5	A buffer overflow vulnerability exists in Linksys E8450 routers where the hidden_dhcp_num field is c
4608	CVE-2024-57543	0.07%	21.2th	5.5	A buffer overflow vulnerability exists in the Linksys E8450 router firmware where the dhcpstart_ip f
4609	CVE-2025-22316	0.07%	21th	5.9	This stored cross-site scripting (XSS) vulnerability in the WPBITS Addons For Elementor Page Builder
4610	CVE-2025-0202	0.07%	21th	5.5	A potential file inclusion vulnerability exists in TCS BaNCS 10 through the /REPORTS/REPORTS_SHOW_FI
4611	CVE-2024-0392	0.07%	21th	5.4	A Cross-Site Request Forgery (CSRF) vulnerability in WSO2 Enterprise Integrator 6.6.0 management con
4612	CVE-2024-53543	0.07%	21.1th	5.4	This SQL injection vulnerability in NovaCHRON Zeitsysteme Smart Time Plus allows attackers to execut
4613	CVE-2024-37360	0.07%	21.1th	4.4	This Cross-Site Scripting (XSS) vulnerability in Hitachi Vantara Pentaho Business Analytics Server a
4614	CVE-2024-10322	0.07%	21.1th	6.4	The Brizy Page Builder WordPress plugin has a stored XSS vulnerability that allows authenticated att
4615	CVE-2024-12869	0.07%	21th	4.3	This vulnerability in infiniflow/ragflow v0.12.0 allows authenticated users to view other users' inv
4616	CVE-2025-39413	0.07%	21.1th	4.3	This CVE describes a Missing Authorization vulnerability in the Simple Sitemap WordPress plugin that
4617	CVE-2025-46232	0.07%	21.1th	4.3	This CVE describes a missing authorization vulnerability in the Download Alt Text AI WordPress plugi
4618	CVE-2024-47055	0.07%	21.2th	4.3	This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Mautic's segment clon
4619	CVE-2025-46176	0.07%	21.2th	6.5	This vulnerability involves hardcoded credentials in the Telnet service of specific D-Link router mo
4620	CVE-2025-20181	0.07%	21th	6.8	This vulnerability allows authenticated local attackers with privilege level 15 or unauthenticated a
4621	CVE-2025-6702	0.07%	21th	4.3	This is a mass assignment vulnerability in Litemall 1.8.0 that allows unauthorized manipulation of a
4622	CVE-2025-52897	0.07%	21th	6.5	GLPI versions 9.1.0 through 10.0.18 contain a vulnerability in the planning feature that allows unau
4623	CVE-2025-43216	0.07%	21.2th	6.5	A use-after-free vulnerability in Apple's Safari browser and related WebKit components allows attack
4624	CVE-2025-57217	0.07%	21.1th	5.3	This CVE describes a stack buffer overflow vulnerability in Tenda AC10 routers that allows remote at
4625	CVE-2025-8516	0.07%	21.1th	5.3	This CVE describes a path traversal vulnerability in Kingdee Cloud-Starry-Sky Enterprise Edition tha
4626	CVE-2025-60103	0.07%	21th	5.4	This CVE describes a missing authorization vulnerability in the ListingPro WordPress plugin that all
4627	CVE-2025-60097	0.07%	21th	5.4	This CVE describes a missing authorization vulnerability in the TheGem WordPress theme that allows a
4628	CVE-2025-60096	0.07%	21th	5.4	This vulnerability allows attackers to bypass authorization controls in TheGem (Elementor) WordPress
4629	CVE-2025-58672	0.07%	21th	5.4	This vulnerability allows attackers to bypass authorization controls in WP User Frontend, potentiall
4630	CVE-2025-58667	0.07%	21th	5.4	This CVE describes a missing authorization vulnerability in the WordPress ListingPro Reviews plugin
4631	CVE-2025-58660	0.07%	21th	5.4	This CVE describes a Missing Authorization vulnerability in the Oshine Core WordPress plugin that al
4632	CVE-2025-58650	0.07%	21th	5.4	This CVE describes a missing authorization vulnerability in the All In One SEO Pack WordPress plugin
4633	CVE-2025-57994	0.07%	21th	5.4	This CVE describes an authorization bypass vulnerability in the Upcoming Events Lists WordPress plug
4634	CVE-2025-57991	0.07%	21th	5.4	This CVE describes a missing authorization vulnerability in the Clariti WordPress plugin that allows
4635	CVE-2025-57990	0.07%	21th	5.4	This CVE describes a Missing Authorization vulnerability in the Blog Designer WordPress plugin that
4636	CVE-2025-57961	0.07%	21th	4.3	This CVE describes a Missing Authorization vulnerability in Codexpert's CoDesigner WordPress plugin
4637	CVE-2025-57949	0.07%	21th	5.4	This CVE describes a missing authorization vulnerability in the Ongkoskirim.id WordPress plugin that
4638	CVE-2025-61908	0.07%	21th	6.5	This vulnerability in Icinga 2 allows any authenticated API user to crash the monitoring daemon by c
4639	CVE-2025-8484	0.07%	21th	5.3	The Code Quality Control Tool WordPress plugin versions 0.1 exposes sensitive information through pu
4640	CVE-2025-35052	0.07%	21.1th	5.3	Newforma Info Exchange (NIX) uses a hard-coded encryption key for query parameters, allowing attacke
4641	CVE-2025-10645	0.07%	21th	5.3	The WP Reset WordPress plugin exposes sensitive license keys and site data when debugging is enabled
4642	CVE-2025-58584	0.07%	21.1th	5.3	This vulnerability exposes authentication credentials transmitted via URL parameters, which can be u
4643	CVE-2025-12848	0.07%	21th	6.1	This CVE describes a cross-site scripting (XSS) vulnerability in the Webform Multiple File Upload mo
4644	CVE-2025-59510	0.07%	21.1th	5.5	This vulnerability in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker
4645	CVE-2025-47179	0.07%	21.2th	6.7	CVE-2025-47179 is an improper access control vulnerability in Microsoft Configuration Manager that a
4646	CVE-2025-59301	0.07%	21.1th	4.0	Delta Electronics DVP15MC11T programmable logic controllers lack proper validation of Modbus/TCP pac
4647	CVE-2025-66174	0.07%	21.2th	6.5	An improper authentication vulnerability in Hikvision DVR/NVR devices allows attackers with physical
4648	CVE-2025-66451	0.07%	21.1th	6.5	This vulnerability in LibreChat allows authenticated users to modify prompt groups in unintended way
4649	CVE-2025-67485	0.07%	21.1th	5.3	CVE-2025-67485 is a security bypass vulnerability in mad-proxy that allows attackers to circumvent H
4650	CVE-2025-54353	0.07%	21th	5.4	This CVE describes a cross-site scripting (XSS) vulnerability in Fortinet FortiSandbox that allows a

← Previous Page 93 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free