Skip to content
Security & Trust

EPSS Extremes: Four Frameworks Above 90% Exploitation Probability

React, Magento, Laravel, and WordPress carry CVEs with near-certain exploitation scores

· 5 min read
Share on X LinkedIn
EPSS Extremes: Four Frameworks Above 90% Exploitation Probability

The Probability of Weaponization

The Exploit Prediction Scoring System calculates the probability that a given vulnerability will be exploited in the wild within 30 days. Maintained by FIRST.org, EPSS uses machine learning models trained on observed exploitation data, threat intelligence feeds, and vulnerability characteristics. A score of 0.90 means a 90% probability of active exploitation within the next month. Four web frameworks tracked by WebPulse carry at least one CVE at or above that threshold.

1.00 (maximum possible)
React max EPSS
Source: FIRST.org EPSS (June 2026)

React's EPSS score of 1.00 represents mathematical certainty in the model's assessment — a vulnerability that is being actively, continuously exploited. This reflects specific prototype pollution and supply-chain vectors in React's ecosystem rather than a flaw in the framework's core rendering architecture. But the distinction between core and ecosystem offers limited comfort to organizations whose production applications depend on both.

The High-EPSS Cohort

0.97
Magento max EPSS
Source: FIRST.org EPSS (June 2026)
0.92
Laravel max EPSS
Source: FIRST.org EPSS (June 2026)

Magento's 0.97 EPSS score reflects the framework's position as the primary target for e-commerce exploitation — payment card skimming, Magecart attacks, and credential harvesting campaigns that treat Magento installations as high-value targets. Laravel's 0.92 reflects specific remote code execution vectors that have entered active exploit kits. These are not theoretical vulnerabilities awaiting proof-of-concept code. They are components of ongoing campaigns.

0.91
WordPress max EPSS
Source: FIRST.org EPSS (June 2026)

WordPress at 0.91 rounds out the high-EPSS cohort. Given WordPress's 18,005 total CVEs, the notable finding is not that it carries a high-EPSS vulnerability but that its maximum EPSS score is lower than React's, Magento's, and Laravel's. WordPress's security challenges are driven by volume and plugin-ecosystem fragmentation rather than individual high-severity vectors.

The Zero-EPSS Divide

On the other side of the divide, seven frameworks carry no CVEs with elevated EPSS scores: Django, FastAPI, Hugo, Astro, Angular, Vue, and Next.js. This does not mean these frameworks have zero CVEs. It means that no vulnerability in their codebases has reached the exploitation probability threshold that triggers active campaign integration.

Django, FastAPI, Hugo, Astro, Angular, Vue, Next.js
Frameworks with zero high-EPSS CVEs
Source: FIRST.org EPSS (June 2026)

The gap between frameworks with EPSS above 0.90 and frameworks with zero high-EPSS entries is the gap between active targeting and theoretical exposure. Both groups have vulnerabilities. Only one group's vulnerabilities are being actively incorporated into exploit toolchains.

Reading the Signal

EPSS is a probability model, not a guarantee. But it is a model trained on real exploitation data, and its high-confidence predictions correlate with observed attack patterns. For organizations conducting framework evaluations, EPSS provides a forward-looking complement to the backward-looking KEV catalog. KEV tells you what has been exploited. EPSS tells you what is likely being exploited right now. Both signals point in the same direction: the security divide between web frameworks is not narrowing.

Share this insight