vulnfeedby Novadyne

EPSS-Ranked CVE Feed

A free, machine-readable ranking of high-impact open-source dependency CVEs by their live EPSS exploit-probability — the FIRST.org score, recomputed daily, that estimates how likely each vulnerability is to be exploited in the next 30 days. Pull it as JSON, cite it, or scan your own project against the same data.

Get the feed as JSON

The full ranking is a stable JSON endpoint — no key, no signup:

curl -s https://vulnfeed.novadyne.ai/feed/epss-top-cves.json

Each entry carries the CVE id, affected package and ecosystem, EPSS score + percentile (with the FIRST.org data date), CVSS vector, qualitative severity, and the exact fix version. This compiled EPSS ranking is free to use and cite with attribution to VulnFeed by Novadyne (https://vulnfeed.novadyne.ai). Underlying EPSS scores are produced by FIRST.org (https://www.first.org/epss/) and used under their open EPSS license; CVE metadata is public (NVD / OSV.dev).

Ranking (by EPSS exploit-probability)

#CVEEPSSPctlSeverityPackageFixed in
1CVE-2021-44228
Log4Shell
100.0%100Criticalorg.apache.logging.log4j:log4j-core
Maven
2.17.1 (2.15.0 first patched the RCE)
2CVE-2025-3248
Langflow code-validation RCE
100.0%100Criticallangflow
PyPI
1.3.0
3CVE-2022-22965
Spring4Shell
99.7%100Criticalorg.springframework:spring-beans
Maven
5.3.18 / 5.2.20
4CVE-2019-11358
jQuery prototype pollution
87.2%100Lowjquery
npm
3.4.0
5CVE-2024-3094
xz/liblzma backdoor
86.0%100Criticalxz-utils / liblzma (5.6.0, 5.6.1)
Linux distro
downgrade to 5.4.x (or a patched distro build)
6CVE-2026-21858
n8n unauthenticated file access
71.6%99Criticaln8n
npm
1.121.0
7CVE-2026-26980
Ghost Content API SQL injection
70.0%99Criticalghost
npm
6.19.1
8CVE-2025-11953
React Native CLI dev-server command injection
62.4%99Critical@react-native-community/cli-server-api
npm
20.0.0
9CVE-2025-27520
BentoML pickle deserialization RCE
35.9%98Criticalbentoml
PyPI
1.4.3
10CVE-2021-23337
lodash command injection
22.4%97Highlodash
npm
4.17.21
11CVE-2021-3749
axios ReDoS
8.5%94Mediumaxios
npm
0.21.2
12CVE-2026-21877
n8n arbitrary-file-write RCE
5.3%92Highn8n
npm
1.121.3
13CVE-2021-33503
urllib3 ReDoS
3.3%87Mediumurllib3
PyPI
1.26.5
14CVE-2022-40897
setuptools ReDoS
2.6%84Highsetuptools
PyPI
65.5.1
15CVE-2025-27607
python-json-logger dependency hijack
1.5%70Criticalpython-json-logger
PyPI
3.3.0
16CVE-2023-30861
Flask session cookie caching
1.3%66Mediumflask
PyPI
2.3.2 / 2.2.5
17CVE-2025-32965
xrpl.js supply-chain key theft
0.8%53Criticalxrpl
npm
4.2.5 / 2.14.3

Check your own project automatically

Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):

curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
  -H 'content-type: application/json' \
  -d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'

Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."

Data sources: exploit-probability (EPSS) from FIRST.org (recomputed daily; data shown as of 2026-07-08); CVSS from OSV.dev; CVE metadata from the National Vulnerability Database. Ranking compiled by VulnFeed (Novadyne). Free to use with attribution. Page generated 2026-07-08.