{
  "feed": "VulnFeed EPSS-ranked dependency CVE feed",
  "description": "Notable open-source dependency CVEs ranked by live EPSS exploit-probability (recomputed daily by FIRST.org), with CVSS severity, affected package and the exact fix version. Curated and compiled by VulnFeed (Novadyne).",
  "homepage": "https://vulnfeed.novadyne.ai/feed",
  "self": "https://vulnfeed.novadyne.ai/feed/epss-top-cves.json",
  "generated": "2026-07-08",
  "count": 17,
  "sources": {
    "epss": "https://www.first.org/epss/ (FIRST.org, recomputed daily)",
    "cvss": "https://osv.dev",
    "cve": "NVD / OSV.dev"
  },
  "license": "This compiled EPSS ranking is free to use and cite with attribution to VulnFeed by Novadyne (https://vulnfeed.novadyne.ai). Underlying EPSS scores are produced by FIRST.org (https://www.first.org/epss/) and used under their open EPSS license; CVE metadata is public (NVD / OSV.dev).",
  "cves": [
    {
      "rank": 1,
      "id": "CVE-2021-44228",
      "name": "Log4Shell",
      "package": "org.apache.logging.log4j:log4j-core",
      "ecosystem": "Maven",
      "kind": "Remote Code Execution (JNDI/LDAP lookup injection)",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "epss": 0.99999,
      "epss_percentile": 1.0,
      "epss_date": "2026-07-08",
      "fixed": "2.17.1 (2.15.0 first patched the RCE)",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2021-44228"
    },
    {
      "rank": 2,
      "id": "CVE-2025-3248",
      "name": "Langflow code-validation RCE",
      "package": "langflow",
      "ecosystem": "PyPI",
      "kind": "Unauthenticated Remote Code Execution (code injection)",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "epss": 0.99972,
      "epss_percentile": 0.99978,
      "epss_date": "2026-07-08",
      "fixed": "1.3.0",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2025-3248"
    },
    {
      "rank": 3,
      "id": "CVE-2022-22965",
      "name": "Spring4Shell",
      "package": "org.springframework:spring-beans",
      "ecosystem": "Maven",
      "kind": "Remote Code Execution (data binding)",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "epss": 0.99677,
      "epss_percentile": 0.99949,
      "epss_date": "2026-07-08",
      "fixed": "5.3.18 / 5.2.20",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2022-22965"
    },
    {
      "rank": 4,
      "id": "CVE-2019-11358",
      "name": "jQuery prototype pollution",
      "package": "jquery",
      "ecosystem": "npm",
      "kind": "Prototype Pollution",
      "severity": "Low",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "epss": 0.87218,
      "epss_percentile": 0.99729,
      "epss_date": "2026-07-08",
      "fixed": "3.4.0",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2019-11358"
    },
    {
      "rank": 5,
      "id": "CVE-2024-3094",
      "name": "xz/liblzma backdoor",
      "package": "xz-utils / liblzma (5.6.0, 5.6.1)",
      "ecosystem": "Linux distro",
      "kind": "Supply-Chain Backdoor",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "epss": 0.85974,
      "epss_percentile": 0.99703,
      "epss_date": "2026-07-08",
      "fixed": "downgrade to 5.4.x (or a patched distro build)",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2024-3094"
    },
    {
      "rank": 6,
      "id": "CVE-2026-21858",
      "name": "n8n unauthenticated file access",
      "package": "n8n",
      "ecosystem": "npm",
      "kind": "Unauthenticated File Access (information disclosure)",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "epss": 0.71647,
      "epss_percentile": 0.99344,
      "epss_date": "2026-07-08",
      "fixed": "1.121.0",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2026-21858"
    },
    {
      "rank": 7,
      "id": "CVE-2026-26980",
      "name": "Ghost Content API SQL injection",
      "package": "ghost",
      "ecosystem": "npm",
      "kind": "SQL Injection (unauthenticated database read)",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "epss": 0.69996,
      "epss_percentile": 0.99295,
      "epss_date": "2026-07-08",
      "fixed": "6.19.1",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2026-26980"
    },
    {
      "rank": 8,
      "id": "CVE-2025-11953",
      "name": "React Native CLI dev-server command injection",
      "package": "@react-native-community/cli-server-api",
      "ecosystem": "npm",
      "kind": "OS Command Injection (Remote Code Execution)",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "epss": 0.62378,
      "epss_percentile": 0.99082,
      "epss_date": "2026-07-08",
      "fixed": "20.0.0",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2025-11953"
    },
    {
      "rank": 9,
      "id": "CVE-2025-27520",
      "name": "BentoML pickle deserialization RCE",
      "package": "bentoml",
      "ecosystem": "PyPI",
      "kind": "Remote Code Execution (insecure deserialization)",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "epss": 0.3592,
      "epss_percentile": 0.98276,
      "epss_date": "2026-07-08",
      "fixed": "1.4.3",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2025-27520"
    },
    {
      "rank": 10,
      "id": "CVE-2021-23337",
      "name": "lodash command injection",
      "package": "lodash",
      "ecosystem": "npm",
      "kind": "Command Injection (template)",
      "severity": "High",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "epss": 0.2241,
      "epss_percentile": 0.9741,
      "epss_date": "2026-07-08",
      "fixed": "4.17.21",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2021-23337"
    },
    {
      "rank": 11,
      "id": "CVE-2021-3749",
      "name": "axios ReDoS",
      "package": "axios",
      "ecosystem": "npm",
      "kind": "Regular Expression Denial of Service (ReDoS)",
      "severity": "Medium",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "epss": 0.08515,
      "epss_percentile": 0.94389,
      "epss_date": "2026-07-08",
      "fixed": "0.21.2",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2021-3749"
    },
    {
      "rank": 12,
      "id": "CVE-2026-21877",
      "name": "n8n arbitrary-file-write RCE",
      "package": "n8n",
      "ecosystem": "npm",
      "kind": "Remote Code Execution (arbitrary file write)",
      "severity": "High",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "epss": 0.05258,
      "epss_percentile": 0.91556,
      "epss_date": "2026-07-08",
      "fixed": "1.121.3",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2026-21877"
    },
    {
      "rank": 13,
      "id": "CVE-2021-33503",
      "name": "urllib3 ReDoS",
      "package": "urllib3",
      "ecosystem": "PyPI",
      "kind": "Regular Expression Denial of Service (ReDoS)",
      "severity": "Medium",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "epss": 0.03273,
      "epss_percentile": 0.86931,
      "epss_date": "2026-07-08",
      "fixed": "1.26.5",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2021-33503"
    },
    {
      "rank": 14,
      "id": "CVE-2022-40897",
      "name": "setuptools ReDoS",
      "package": "setuptools",
      "ecosystem": "PyPI",
      "kind": "Regular Expression Denial of Service (ReDoS)",
      "severity": "High",
      "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "epss": 0.02617,
      "epss_percentile": 0.83592,
      "epss_date": "2026-07-08",
      "fixed": "65.5.1",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2022-40897"
    },
    {
      "rank": 15,
      "id": "CVE-2025-27607",
      "name": "python-json-logger dependency hijack",
      "package": "python-json-logger",
      "ecosystem": "PyPI",
      "kind": "Supply-Chain Risk (unclaimed optional dependency)",
      "severity": "Critical",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "epss": 0.01451,
      "epss_percentile": 0.70226,
      "epss_date": "2026-07-08",
      "fixed": "3.3.0",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2025-27607"
    },
    {
      "rank": 16,
      "id": "CVE-2023-30861",
      "name": "Flask session cookie caching",
      "package": "flask",
      "ecosystem": "PyPI",
      "kind": "Sensitive Information Disclosure",
      "severity": "Medium",
      "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "epss": 0.01261,
      "epss_percentile": 0.66088,
      "epss_date": "2026-07-08",
      "fixed": "2.3.2 / 2.2.5",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2023-30861"
    },
    {
      "rank": 17,
      "id": "CVE-2025-32965",
      "name": "xrpl.js supply-chain key theft",
      "package": "xrpl",
      "ecosystem": "npm",
      "kind": "Supply-Chain Compromise (malicious code / key exfiltration)",
      "severity": "Critical",
      "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "epss": 0.00818,
      "epss_percentile": 0.52742,
      "epss_date": "2026-07-08",
      "fixed": "4.2.5 / 2.14.3",
      "url": "https://vulnfeed.novadyne.ai/cve/CVE-2025-32965"
    }
  ]
}
