The Probability of Weaponization
The Exploit Prediction Scoring System calculates the probability that a given vulnerability will be exploited in the wild within 30 days. Maintained by FIRST.org, EPSS uses machine learning models trained on observed exploitation data, threat intelligence feeds, and vulnerability characteristics. A score of 0.90 means a 90% probability of active exploitation within the next month. Four web frameworks tracked by WebPulse carry at least one CVE at or above that threshold.
React's EPSS score of 1.00 represents mathematical certainty in the model's assessment — a vulnerability that is being actively, continuously exploited. This reflects specific prototype pollution and supply-chain vectors in React's ecosystem rather than a flaw in the framework's core rendering architecture. But the distinction between core and ecosystem offers limited comfort to organizations whose production applications depend on both.
The High-EPSS Cohort
Magento's 0.97 EPSS score reflects the framework's position as the primary target for e-commerce exploitation — payment card skimming, Magecart attacks, and credential harvesting campaigns that treat Magento installations as high-value targets. Laravel's 0.92 reflects specific remote code execution vectors that have entered active exploit kits. These are not theoretical vulnerabilities awaiting proof-of-concept code. They are components of ongoing campaigns.
WordPress at 0.91 rounds out the high-EPSS cohort. Given WordPress's 18,005 total CVEs, the notable finding is not that it carries a high-EPSS vulnerability but that its maximum EPSS score is lower than React's, Magento's, and Laravel's. WordPress's security challenges are driven by volume and plugin-ecosystem fragmentation rather than individual high-severity vectors.
The Zero-EPSS Divide
On the other side of the divide, seven frameworks carry no CVEs with elevated EPSS scores: Django, FastAPI, Hugo, Astro, Angular, Vue, and Next.js. This does not mean these frameworks have zero CVEs. It means that no vulnerability in their codebases has reached the exploitation probability threshold that triggers active campaign integration.
The gap between frameworks with EPSS above 0.90 and frameworks with zero high-EPSS entries is the gap between active targeting and theoretical exposure. Both groups have vulnerabilities. Only one group's vulnerabilities are being actively incorporated into exploit toolchains.
Reading the Signal
EPSS is a probability model, not a guarantee. But it is a model trained on real exploitation data, and its high-confidence predictions correlate with observed attack patterns. For organizations conducting framework evaluations, EPSS provides a forward-looking complement to the backward-looking KEV catalog. KEV tells you what has been exploited. EPSS tells you what is likely being exploited right now. Both signals point in the same direction: the security divide between web frameworks is not narrowing.


