Package Vulnerabilities by Ecosystem
10,770 CVE-affected open-source packages across 11 ecosystems, ranked by live CVE volume — 35,148 package-to-CVE mappings sourced from GHSA, NVD, and vendor advisories, with affected ranges and fixed versions. Each package links to its live CVE list, updated continuously as new vulnerabilities publish.
Java / JVM artifacts
Top 8 by CVE volume
- 1.org.jenkins-ci.main:jenkins-core249 CVEs
- 2.org.apache.tomcat:tomcat160 CVEs
- 3.com.liferay.portal:release.portal.bom159 CVEs
- 4.com.liferay.portal:release.dxp.bom125 CVEs
- 5.org.keycloak:keycloak-services79 CVEs
- 6.org.apache.tomcat.embed:tomcat-embed-core72 CVEs
- 7.com.fasterxml.jackson.core:jackson-databind69 CVEs
- 8.org.apache.struts:struts2-core60 CVEs
JavaScript / Node.js packages
Top 8 by CVE volume
- 1.openclaw298 CVEs
- 2.n8n62 CVEs
- 3.flowise58 CVEs
- 4.parse-server55 CVEs
- 5.directus53 CVEs
- 6.electron49 CVEs
- 7.nocodb44 CVEs
- 8.next42 CVEs
Python packages
Top 8 by CVE volume
- 1.tensorflow427 CVEs
- 2.tensorflow-cpu424 CVEs
- 3.tensorflow-gpu421 CVEs
- 4.django155 CVEs
- 5.apache-airflow129 CVEs
- 6.plone101 CVEs
- 7.open-webui98 CVEs
- 8.mlflow73 CVEs
Go modules
Top 8 by CVE volume
- 1.github.com/mattermost/mattermost-server245 CVEs
- 2.github.com/mattermost/mattermost/server/v8174 CVEs
- 3.github.com/mattermost/mattermost-server/v6173 CVEs
- 4.stdlib160 CVEs
- 5.github.com/mattermost/mattermost-server/v5150 CVEs
- 6.github.com/usememos/memos74 CVEs
- 7.github.com/grafana/grafana61 CVEs
- 8.github.com/hashicorp/vault55 CVEs
PHP / Composer packages
Top 8 by CVE volume
- 1.moodle/moodle435 CVEs
- 2.magento/community-edition353 CVEs
- 3.magento/project-community-edition161 CVEs
- 4.pimcore/pimcore124 CVEs
- 5.dolibarr/dolibarr123 CVEs
- 6.typo3/cms116 CVEs
- 7.drupal/core110 CVEs
- 8.phpmyadmin/phpmyadmin107 CVEs
Rust crates
Top 8 by CVE volume
- 1.coreutils44 CVEs
- 2.wasmtime36 CVEs
- 3.deno34 CVEs
- 4.openssl-src26 CVEs
- 5.rusqlite15 CVEs
- 6.apollo-router12 CVEs
- 7.openssl12 CVEs
- 8.russh11 CVEs
.NET packages
Top 8 by CVE volume
- 1.Microsoft.ChakraCore247 CVEs
- 2.Magick.NET-Q16-AnyCPU58 CVEs
- 3.Magick.NET-Q16-HDRI-AnyCPU58 CVEs
- 4.Magick.NET-Q16-HDRI-x8658 CVEs
- 5.Magick.NET-Q16-x8658 CVEs
- 6.Magick.NET-Q8-AnyCPU58 CVEs
- 7.Magick.NET-Q8-x8657 CVEs
- 8.Magick.NET-Q16-arm6455 CVEs
Ruby gems
Top 8 by CVE volume
- 1.actionpack61 CVEs
- 2.rack49 CVEs
- 3.nokogiri32 CVEs
- 4.rubygems-update25 CVEs
- 5.activerecord23 CVEs
- 6.puppet22 CVEs
- 7.publify_core15 CVEs
- 8.activesupport14 CVEs
Elixir / Erlang packages
Top 8 by CVE volume
- 1.hackney12 CVEs
- 2.bandit7 CVEs
- 3.cowlib5 CVEs
- 4.tesla5 CVEs
- 5.ash4 CVEs
- 6.grpc4 CVEs
- 7.mint4 CVEs
- 8.plug4 CVEs
Dart / Flutter packages
Top 8 by CVE volume
- 1.archive2 CVEs
- 2.agent_dart1 CVEs
- 3.dio1 CVEs
- 4.http1 CVEs
- 5.jose1 CVEs
- 6.personnummer1 CVEs
- 7.pubnub1 CVEs
- 8.serverpod_auth_server1 CVEs
Swift packages
Top 6 by CVE volume
- 1.github.com/pytorch/executorch6 CVEs
- 2.github.com/apple/swift-nio-http21 CVEs
- 3.github.com/facebook/zstd1 CVEs
- 4.github.com/mongodb/mongo-swift-driver1 CVEs
- 5.github.com/pubnub/swift1 CVEs
- 6.github.com/shareup/wasm-interpreter-apple1 CVEs
Which of these packages run in YOUR stack?
EchelonGraph inventories your dependencies across clouds and clusters, then correlates every package against live CVE intelligence — affected ranges, fixed versions, and blast radius in one graph.
Start Free Scan →