EPSS-Ranked CVE Feed
A free, machine-readable ranking of high-impact open-source dependency CVEs by their live EPSS exploit-probability — the FIRST.org score, recomputed daily, that estimates how likely each vulnerability is to be exploited in the next 30 days. Pull it as JSON, cite it, or scan your own project against the same data.
Get the feed as JSON
The full ranking is a stable JSON endpoint — no key, no signup:
curl -s https://vulnfeed.novadyne.ai/feed/epss-top-cves.json
Each entry carries the CVE id, affected package and ecosystem, EPSS score + percentile (with the FIRST.org data date), CVSS vector, qualitative severity, and the exact fix version. This compiled EPSS ranking is free to use and cite with attribution to VulnFeed by Novadyne (https://vulnfeed.novadyne.ai). Underlying EPSS scores are produced by FIRST.org (https://www.first.org/epss/) and used under their open EPSS license; CVE metadata is public (NVD / OSV.dev).
Ranking (by EPSS exploit-probability)
| # | CVE | EPSS | Pctl | Severity | Package | Fixed in |
|---|---|---|---|---|---|---|
| 1 | CVE-2021-44228 Log4Shell | 100.0% | 100 | Critical | org.apache.logging.log4j:log4j-coreMaven | 2.17.1 (2.15.0 first patched the RCE) |
| 2 | CVE-2025-3248 Langflow code-validation RCE | 100.0% | 100 | Critical | langflowPyPI | 1.3.0 |
| 3 | CVE-2022-22965 Spring4Shell | 99.7% | 100 | Critical | org.springframework:spring-beansMaven | 5.3.18 / 5.2.20 |
| 4 | CVE-2019-11358 jQuery prototype pollution | 87.2% | 100 | Low | jquerynpm | 3.4.0 |
| 5 | CVE-2024-3094 xz/liblzma backdoor | 86.0% | 100 | Critical | xz-utils / liblzma (5.6.0, 5.6.1)Linux distro | downgrade to 5.4.x (or a patched distro build) |
| 6 | CVE-2026-21858 n8n unauthenticated file access | 71.6% | 99 | Critical | n8nnpm | 1.121.0 |
| 7 | CVE-2026-26980 Ghost Content API SQL injection | 70.0% | 99 | Critical | ghostnpm | 6.19.1 |
| 8 | CVE-2025-11953 React Native CLI dev-server command injection | 62.4% | 99 | Critical | @react-native-community/cli-server-apinpm | 20.0.0 |
| 9 | CVE-2025-27520 BentoML pickle deserialization RCE | 35.9% | 98 | Critical | bentomlPyPI | 1.4.3 |
| 10 | CVE-2021-23337 lodash command injection | 22.4% | 97 | High | lodashnpm | 4.17.21 |
| 11 | CVE-2021-3749 axios ReDoS | 8.5% | 94 | Medium | axiosnpm | 0.21.2 |
| 12 | CVE-2026-21877 n8n arbitrary-file-write RCE | 5.3% | 92 | High | n8nnpm | 1.121.3 |
| 13 | CVE-2021-33503 urllib3 ReDoS | 3.3% | 87 | Medium | urllib3PyPI | 1.26.5 |
| 14 | CVE-2022-40897 setuptools ReDoS | 2.6% | 84 | High | setuptoolsPyPI | 65.5.1 |
| 15 | CVE-2025-27607 python-json-logger dependency hijack | 1.5% | 70 | Critical | python-json-loggerPyPI | 3.3.0 |
| 16 | CVE-2023-30861 Flask session cookie caching | 1.3% | 66 | Medium | flaskPyPI | 2.3.2 / 2.2.5 |
| 17 | CVE-2025-32965 xrpl.js supply-chain key theft | 0.8% | 53 | Critical | xrplnpm | 4.2.5 / 2.14.3 |
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: exploit-probability (EPSS) from FIRST.org (recomputed daily; data shown as of 2026-07-08); CVSS from OSV.dev; CVE metadata from the National Vulnerability Database. Ranking compiled by VulnFeed (Novadyne). Free to use with attribution. Page generated 2026-07-08.