CVE Database

Exploit probability, severity and the exact fix — for the dependency CVEs developers actually search for. EPSS recomputed daily by FIRST.org.

Each page answers the three questions you actually have about a CVE: is it exploitable (EPSS), how bad is it (CVSS), and how do I fix it (the exact patched version). Then scan your own lockfile free.

• CVE-2026-26980: Ghost Content API SQL injection
  SQL Injection (unauthenticated database read) in ghost (npm) · EPSS 16.5% · fixed in 6.19.1
• CVE-2026-21877: n8n arbitrary-file-write RCE
  Remote Code Execution (arbitrary file write) in n8n (npm) · EPSS 5.3% · fixed in 1.121.3
• CVE-2026-21858: n8n unauthenticated file access
  Unauthenticated File Access (information disclosure) in n8n (npm) · EPSS 72.0% · fixed in 1.121.0
• CVE-2025-32965: xrpl.js supply-chain key theft
  Supply-Chain Compromise (malicious code / key exfiltration) in xrpl (npm) · EPSS 0.8% · fixed in 4.2.5 / 2.14.3
• CVE-2025-27607: python-json-logger dependency hijack
  Supply-Chain Risk (unclaimed optional dependency) in python-json-logger (PyPI) · EPSS 1.5% · fixed in 3.3.0
• CVE-2025-27520: BentoML pickle deserialization RCE
  Remote Code Execution (insecure deserialization) in bentoml (PyPI) · EPSS 43.7% · fixed in 1.4.3
• CVE-2025-11953: React Native CLI dev-server command injection
  OS Command Injection (Remote Code Execution) in @react-native-community/cli-server-api (npm) · EPSS 61.9% · fixed in 20.0.0
• CVE-2025-3248: Langflow code-validation RCE
  Unauthenticated Remote Code Execution (code injection) in langflow (PyPI) · EPSS 100.0% · fixed in 1.3.0
• CVE-2024-3094: xz/liblzma backdoor
  Supply-Chain Backdoor in xz-utils / liblzma (5.6.0, 5.6.1) (Linux distro) · EPSS 86.0% · fixed in downgrade to 5.4.x (or a patched distro build)
• CVE-2023-30861: Flask session cookie caching
  Sensitive Information Disclosure in flask (PyPI) · EPSS 1.2% · fixed in 2.3.2 / 2.2.5
• CVE-2022-40897: setuptools ReDoS
  Regular Expression Denial of Service (ReDoS) in setuptools (PyPI) · EPSS 2.6% · fixed in 65.5.1
• CVE-2022-22965: Spring4Shell
  Remote Code Execution (data binding) in org.springframework:spring-beans (Maven) · EPSS 99.7% · fixed in 5.3.18 / 5.2.20
• CVE-2021-44228: Log4Shell
  Remote Code Execution (JNDI/LDAP lookup injection) in org.apache.logging.log4j:log4j-core (Maven) · EPSS 100.0% · fixed in 2.17.1 (2.15.0 first patched the RCE)
• CVE-2021-33503: urllib3 ReDoS
  Regular Expression Denial of Service (ReDoS) in urllib3 (PyPI) · EPSS 3.3% · fixed in 1.26.5
• CVE-2021-23337: lodash command injection
  Command Injection (template) in lodash (npm) · EPSS 22.4% · fixed in 4.17.21
• CVE-2021-3749: axios ReDoS
  Regular Expression Denial of Service (ReDoS) in axios (npm) · EPSS 7.9% · fixed in 0.21.2
• CVE-2019-11358: jQuery prototype pollution
  Prototype Pollution in jquery (npm) · EPSS 87.2% · fixed in 3.4.0

Check your own project automatically

Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):

curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
  -H 'content-type: application/json' \
  -d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'

Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."