About this report
Packages are ranked by a composite risk score (0–100) combining: dependency blast radius (22%),
EPSS exploit probability (20%), betweenness centrality (15%), version lag (14%), CVSS severity (10%),
exploit maturity (8%), ecosystem popularity (7%), download count (2%), and exposure days (2%).
CVEs already resolved by distro backports are excluded via the Debian Security Tracker.
Data sources: OSV.dev, FIRST.org EPSS, NVD, CISA KEV, Repology.
Full methodology →