JerryGamblin.com

2025 CVE Data Review

January 1, 20261748 Views

2025 set a new baseline with 48,185 published CVEs. While the sheer volume is climbing, the median CVSS score remained surprisingly stable. We are seeing a distinct shift toward web application flaws (specifically in the CMS ecosystem) and a wider distribution of vendors, proving that vulnerabilities are spreading deeper into the supply chain.

This massive growth is exactly why I launched RogoLabs. I am building free tools like cve.icu (real-time tracking), cnascorecard.org (CNA performance), and cveforecast.org (predictive modeling) to ensure vulnerability data remains accessible and usable for the community.

The takeaway for engineers is simple: you can’t patch everything. With volume at this level, your only move is to ruthlessly prioritize based on exploitability and automate the rest.

TL;DR

In 2025, 48,185 CVEs were published, a 20.6% increase from 2024’s 39,962. The total number of CVEs since 1999 now stands at 308,920.

Note: All statistics in this report exclude rejected CVEs.

Key Statistics at a Glance

Metric	Value
Total CVEs in 2025	48,185
Year-over-Year Change	+20.6%
Critical Severity	3,984
High Severity	15,003
Average CVSS Score	6.60
CVSS Coverage	91.3%
CWE Coverage	92.3%
Active CNAs	365
Rejected CVEs (2025)	1,787

Historical CVE Growth

The volume of published CVEs increased again in 2025, continuing the established upward trend.

Year-over-year growth fluctuates, but 2025’s 21% growth is significant compared to the previous year. This indicates that despite better tooling, the rate of discovery is outpacing our ability to remediate.

The cumulative CVE count now exceeds 308,000.

2025 Monthly Distribution

The data shows a variable rate of CVE publications throughout 2025. December exhibited the highest volume, totaling 5,500 CVEs. While December is traditionally quieter, 2025 saw an anomalous spike, with over 11% of the year’s total vulnerabilities disclosed in the final month alone.

Publication Patterns by Day of Week

Analysis of CVE publication dates reveals distinct trends linked to vendor release cycles.

Tuesday remains the king of disclosure, with 11,754 CVEs, driven largely by the industry-standard “Patch Tuesday” release cadence. The drop-off is sharp: weekdays averaged 8,918 CVEs, while weekends averaged only 1,796. Security teams can generally expect the quietest period to be Sunday.

Busiest Days of 2025

The data shows significant clustering of CVE publications. The top day, February 26th, saw nearly 800 CVEs published in a single 24-hour window. These spikes create massive “risk windows” where security teams are flooded with data.

Top 5 Busiest Days

Rank	Date	CVE Count
1	2025-02-26	793
2	2025-12-09	660
3	2025-12-24	494
4	2025-06-10	485
5	2025-01-14	478

Most Vulnerable Products

Beyond vendors, specific products exhibiting the highest number of CVEs in 2025:

The data reveals that the Linux Kernel is the single product with the most vulnerabilities (3,649). However, context is vital here: this high number reflects the transparent, open-source nature of Kernel development where every fix is often assigned a CVE, unlike closed-source operating systems that may bundle fixes.

Top 5 Products

Rank	Product	CVE Count
1	Linux Kernel	3,649
2	Windows 10	623
3	Android	509
4	Adobe Experience Manager	377
5	macOS	362

CVSS Score Analysis

The distribution of CVEs across the CVSS range in 2025 reveals trends in vulnerability severity.

The average CVSS score for 2025 was 6.60, with a median of 6.50. This indicates a concentration of vulnerabilities in the medium severity range. We observed a substantial number of vulnerabilities scoring between 7.0 and 8.9, suggesting a significant attack surface requiring immediate attention.

Severity Breakdown

Severity	Count	Percentage
Critical	3,984	8.3%
High	15,003	31.1%
Medium	25,551	53.0%
Low	1,557	3.2%

CVSS Trends Over Time

Top Weakness Types (CWE)

I analyzed the prevalence of weakness types based on the Common Weakness Enumeration. The data from 2025 reveals the most frequently observed CWEs.

The Web Application Crisis: The dominance of CWE-79 (Cross-Site Scripting) with over 8,000 entries is alarming. Despite XSS being a known issue for decades, it remains the most common vulnerability class. Combined with CWE-74 (Injection), CWE-862 (Missing Authorization), and CWE-89 (SQL Injection), web vulnerabilities account for a massive portion of the 2025 landscape.

Top 5 CWEs in 2025

Rank	CWE	Name	CVE Count
1	CWE-79	XSS	8,207
2	CWE-74	Injection	2,564
3	CWE-862	Missing Authorization	2,224
4	CWE-352	CSRF	1,894
5	CWE-89	SQL Injection	1,706

CVE Numbering Authorities (CNAs)

The CVE Numbering Authority ecosystem has shifted dramatically. In previous years, major software vendors dominated this list. In 2025, we see the “WordPress Effect.”

Patchstack and Wordfence—organizations dedicated to WordPress plugin security—are now top drivers of CVE volume. Patchstack (#1) alone assigned 7,007 CVEs, vastly outnumbering traditional giants like Microsoft (#6) or Google. This reflects the intense scrutiny on the third-party plugin ecosystem.

Top 5 CNAs in 2025

Rank	CNA	CVE Count
1	Patchstack	7,007
2	VulDB	5,902
3	Linux	5,686
4	MITRE	5,208
5	Wordfence	3,451

In total, 365 unique CNAs assigned CVEs in 2025.

Top Vendors

Which vendors had the most CVEs assigned to their products in 2025?

The data shows Linux experienced the highest number of CVEs in 2025. This volume reflects its ubiquitous use and the rigorous reporting standards of the Kernel project. Microsoft and Adobe remain in the top 5, consistent with previous years, while Code-Projects (a platform for open-source code) and Apple round out the list.

Top 5 Vendors in 2025

Rank	Vendor	CVE Count
1	Linux	5,687
2	Microsoft	1,255
3	Adobe	829
4	Code-Projects	730
5	Apple	727

Data Quality

CVE records exhibit varying degrees of completeness. The 2025 data indicates trends in metadata availability.

While CVSS and CWE coverage remains high (>90%), the lag in CPE identifiers (57.6%) is a concern for automated matching tools that rely on accurate product identifiers to alert users.

2025 Data Quality Metrics

Metric	Coverage
CVSS Score	91.3%
CWE Classification	92.3%
CPE Identifiers	57.6%

Rejected CVEs

Not all CVE IDs remain active. Some are rejected due to duplicates, disputes, or invalid submissions.

The number of rejected CVEs in 2025 remained consistent with 2024 figures, hovering around 1,787. This represents a 3.58% rejection rate, suggesting a relatively stable signal-to-noise ratio in the ecosystem.

2025 Rejection Statistics

Metric	Value
Rejected CVEs in 2025	1,787
2025 Rejection Rate	3.58%
Total Rejected (All Time)	16,357

Conclusions

In 2025, the volume of reported vulnerabilities hit an all-time high, demanding continuous vigilance.

The “WordPress Effect” is the most significant trend of the year. With Patchstack and Wordfence accounting for over 10,000 combined CVEs, the sheer volume of vulnerabilities has shifted from “Core OS” issues to “Third-Party Plugin” issues. For security teams, this means your threat model must aggressively account for unvetted plugins and extensions.

Linux remains the most reported vendor, but this is a feature of open source transparency, not necessarily insecurity. Teams should focus on hardening Linux environments and ensuring they have visibility into the specific kernel modules they are running.

Finally, the dominance of CWE-79 (XSS) proves that secure coding practices are still not being effectively implemented at the development stage. Regular security assessments and aggressive input validation remain critical.

Key Takeaways from 2025

Volume continues to grow: With 48,185 CVEs, 2025 set a new record in vulnerability disclosures.
CNAs have shifted: WordPress security firms (Patchstack, Wordfence) now out-publish major tech giants like Microsoft and Google.
Severity remains concerning: 18,987 CVEs (39.4%) were rated Critical or High severity.
Old bugs die hard: XSS (CWE-79) and Injection (CWE-74) continue to dominate the weakness landscape.
Data quality challenges: While improving, a significant portion of CVEs still lack complete CPE data, complicating automated matching.

Methodology

This analysis uses two primary data sources:

NVD JSON – National Vulnerability Database export from nvd.handsonhacking.org
CVE List V5 – Official CVE records from GitHub CVEProject/cvelistV5

All graphs and statistics were generated using Python with pandas and matplotlib.

Thank you for reading the 2025 CVE Data Review!

Data collected and analyzed on January 01, 2026.

A New Era of Transparency for CVE Data Quality

August 14, 2025476 Views

I’m incredibly excited to finally share something I’ve been pouring my heart into at RogoLabs. For those of you who caught my talk at BSidesLV, you got a sneak peek, but today it’s official: CNAScorecard.org is live!

For years, the CVE program has been our shared language for identifying vulnerabilities. But lately, we’ve all felt the growing pains. We’re seeing more CVEs with incomplete, vague, or missing data. This isn’t just a small problem; it’s a huge one that leads to alert fatigue, slow response times, and automated tools that simply can’t do their jobs.

The recent NVD backlog shined a spotlight on this issue. Thousands of CVEs were left unanalyzed, lacking critical CVSS scores and CPE data. The truth is, the responsibility for data enrichment has shifted back to the CVE Numbering Authorities (CNAs), and many simply haven’t been providing this level of detail for over a decade.

This is precisely the challenge RogoLabs was created to solve. Moving beyond just counting vulnerabilities and focusing on measuring the quality and completeness of that data. CNAScorecard.org is a core part of this mission, alongside my other projects like CVE.icu, a platform for exploring vulnerability data, and CVEForecast.org, an open-source tool that predicts annual CVE volume.

The Four Pillars of a Truly Useful CVE

A CVE needs more than a basic ID to be actionable. It needs solid information across four key pillars:

The Weakness (CWE): This identifies the root cause of the vulnerability (e.g., SQL Injection), helping us understand why it exists.
The Product (CPE): This is how we precisely identify affected software (e.g., cpe:/a:apache:http_server:2.4.54). Without a complete CPE, your scanners are flying blind. In 2024 alone, more than 14,000 CVEs were published without a CPE—more than the previous four years combined.
The Severity (CVSS): This gives you a score (0.0-10.0) to prioritize a vulnerability. Without it, you’re left guessing which issues to tackle first.
The Fix (Patch Info): The ultimate goal is to fix vulnerabilities. A CVE without a clear path to a solution—like a vendor advisory, patch link, or code commit—is just a problem statement, not a solution.

Introducing CNAScorecard.org

The old saying holds true: you can’t improve what you don’t measure. CNAScorecard.org is a public, data-driven scorecard for every CVE Numbering Authority. It gives us the objective measurement we need to demand better data across the board and helps you identify which sources you can truly trust.

The system is open-source, updates every six hours, and focuses on the last six months of CVE data to keep the information current. It scores CVE records against the four pillars, rolling those scores up into an overall quality grade for each CNA.

A Look at the Initial Data

The first results are eye-opening:

Foundational Completeness: 100.0%
Root Cause Analysis (CWE): 87.4%
Severity & Impact (CVSS): 88.4%
Software Identification (CPE): 2.0%
Patch Information: 4.8%

These low scores for CPE and patch links highlight a critical problem. They lead to impaired automation, endless manual research, and inaccurate reporting for security teams everywhere.

How This Helps You

CNAScorecard.org is designed to empower everyone in the security community.

For Defenders: Use these scores to quickly identify and act on complete CVEs. The CNA grades are a powerful trust metric for evaluating your vendors.
For CNAs: This is a clear benchmark to see how your disclosure processes stack up against your peers. It’s a roadmap for improvement, showing you exactly where you can enhance your data quality. High-quality disclosure is a key driver of customer trust.
For the Ecosystem: We’re providing a continuously updated, public metric for the health of the CVE program. This brings much-needed accountability to a federated system.

Get Involved

This project isn’t just about a website; it’s about building a better, more transparent future for vulnerability management. Every line of code, every data point, and every score on CNAScorecard.org is part of a larger mission to improve the CVE ecosystem for everyone. With the right tools and a collaborative community, we can solve the challenges facing our industry.

The entire codebase is available on GitHub, and we’d love for you to contribute, provide feedback, or use it to build your own solutions.

Vegas Bound for Security Summer Camp!

July 30, 2025231 Views

It’s that time of year again! The first week of August means my annual trip to the desert for “Security Summer Camp”—the whirlwind of BSides Las Vegas, Black Hat, and DEF CON. It’s always an exhausting but amazing week, and I can’t wait to dive in, catch up with everyone, and talk about what I’ve been working on.

This year, I’m excited to be giving two talks that dig into the weeds of the CVE ecosystem.

My Talks in Vegas

I’ll be on stage at both BSidesLV and the AppSec Village at DEF CON.

Event	Talk Title	The Gist	When & Where
BSides Las Vegas	“The Art of Concealment: CVE’s Challenge with Transparency”	A 20-minute dive into the “broken promise” of the CVE system. I’ll break down the four pillars of an actionable CVE (Weakness, Product, Severity, Fix) and show how incomplete data is breaking our automated tools. I’ll also introduce CNAScoreCard.org, a new RogoLabs project to bring transparency and accountability to the ecosystem by measuring data quality.	Tues, Aug 5 @ 2:30 PM at the Tuscany Suites & Casino
AppSec Village at DEF CON 33	“CVE Crisis: Navigating the Post-NVD Monolith Era”	A look at the bigger picture of our strained disclosure ecosystem now that the NVD is no longer the single source of truth. With the institutional power shifting to CISA, I’ll cover how to navigate this new fragmented landscape by integrating multiple intelligence sources (CISA KEV, open-source, commercial feeds) and moving to a true risk-based vulnerability management model.	Friday Afternoon, Aug 8 at the AppSec Village

Let’s Connect

The best part of this week is always the people. I’m genuinely looking forward to connecting, hearing what you’re working on, and trading stories from the trenches.

My passion project, RogoLabs, is all about bringing clarity to vulnerability intelligence through open-source tools like CVE.ICU. To celebrate that, I’ll have some of the very first-run RogoLabs stickers with me.

If you see me, please say hello! I’d love to chat about CVEs, vulnerability management, or anything else. Find me after one of my talks or just flag me down in the hallway.

You can find me on bsky, Twitter, or Mastodon (infosec.exchange) as @jgamblin or learn more about my work at RogoLabs.net.

See you in Vegas!

2024 CVE Data Review

January 5, 20258208 Views

2024 brought unprecedented growth in CVE data, so I figured it would be appropriate to start the new year by exploring these statistics and highlighting some of the more intriguing data points.

CVEs By The Numbers

We ended 2024 with 40,009 published CVEs, up over 38% from the 28,818 CVEs published in 2023.

On average, 108 CVEs were published each day.
May had the highest number of CVEs released, totaling 5,010 or 12.5% of all CVEs for the year.
Tuesdays emerged as the leading publishing days, accounting for 9,706 CVEs, or 24.3% of published CVEs.
May 3rd recorded the most CVEs released in a single day, with 824.

CVEs By Month

Month	CVEs	Percentage
January	2593	6.5
February	2778	6.9
March	3310	8.3
April	3622	9.1
May	5010	12.5
June	3080	7.7
July	3124	7.8
August	2900	7.2
September	2522	6.3
October	3573	8.9
November	4058	10.1
December	3439	8.6

CVEs By Day Of The Week

Day	CVEs	Percentage
Monday	6449	16.1
Tuesday	9706	24.3
Wednesday	7143	17.9
Thursday	6321	15.8
Friday	7100	17.7
Saturday	1858	4.6
Sunday	1432	3.6

Top 10 CVE Publishing Days

Date	CVEs
5/3/24	845
5/14/24	824
7/9/24	471
5/21/24	436
10/21/24	436
11/22/24	385
4/9/24	384
11/19/24	383
12/12/24	341
11/12/24	333

CVE Growth

For the seventh consecutive year since 2017, we witnessed a record high of 40,009 CVEs published, marking a 38.83% increase from 2023. This means that 15.32% of all CVEs released occurred in the previous year.

CVE CVSS Scores

The Common Vulnerability Scoring System (CVSS) offers a way to capture the key characteristics of a vulnerability and generate a numerical score that ranges from 0.0 to 10.0, reflecting its severity. This year, the average CVSS score was 6.67.

A total of 231 vulnerabilities achieved a “perfect” score of 10.0.

CVE-2024-2365 recorded the lowest published CVSS score of 1.6.

CPE

Common Platform Enumeration (CPE) is a systematic naming convention for IT systems, software, and packages that facilitates identifying vulnerable software listed in a CVE.

This year, 19,807 distinct CPEs were recorded in CVEs, with the most prevalent being cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, which was referenced 8,093 times.

CVE-2024-20433, related to a vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software, has the highest number of CPEs at 2,434 unique, vulnerable configurations.

CNA

CVE Numbering Authorities (CNAs) consist of software vendors, open-source projects, coordination centers, bug bounty service providers, hosted services, and research groups that the CVE Program authorizes to assign CVE IDs to vulnerabilities and publish CVE Records within their designated scopes of coverage.

There are 433 CNAs, and 350 of them have published at least one CVE this year.

The Top 5 CNAs last year were:

CNA	Published CVEs	Overall Percentage
Patchstack	4,566	11.41
Kernel.org	4,325	10.81
Wordfence	3,525	8.81
Vuldb	2,936	7.34
Github	2,121	5.3

The top five CNAs this year were specifically established to report CVEs for open-source projects (VulDB, Kernel.org, and GitHub) or WordPress plugins (Patchstack and Wordfence). These five CNAs published 17,473 CVEs, accounting for 43.67% of all CVEs this year.

CWE

CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a benchmark for security tools, and a foundation for identifying, mitigating, and preventing weaknesses.

There are 940 CWEs, and 237 were assigned to CVEs this year. CWE-79 was the most assigned CWE and was assigned 6,227 times, or 15.56% of all CVEs. NVD didn’t assign a CWE (NVD-CWE-noinfo or Missing_Data) 6,292 times or 15.73% of all CVEs.

Notes

695 Rejected CVEs have been removed from the dataset this year.

This GitHub repository contains Jupyter notebooks with all the data and visualizations utilized in this blog.

CVE.ICU is an open-source project that I manage, tracking most of the aforementioned data points in real-time throughout the year, should you wish to stay updated with the data.

Celebrating 25 Years of CVE’s

October 30, 2024588 Views

The Common Vulnerabilities and Exposures (CVE) program, launched in late October 1999, has not only marked its presence but has become a pivotal force in shaping how we perceive and manage cybersecurity threats.

A Journey Through Time

The CVE program emerged as a beacon, standardizing how vulnerabilities are identified, shared, and mitigated. From its inception with just 321 entries, it has ballooned to over 240,000 records, showcasing a remarkable evolution from simple bug tracking to a sophisticated vulnerability management system.

The Impact of CVE

Over these 25 years, CVE has revolutionized cybersecurity:

Global Collaboration: CVE’s framework has fostered an international community where vulnerabilities are reported and collaboratively addressed. This spirit of sharing knowledge has directly contributed to enhanced global cyber resilience.
Standardization: Before CVE, describing a vulnerability could vary wildly, leading to confusion and missed patches. Now, a CVE identifier provides a universal language, ensuring that everyone is on the same page when a vulnerability is mentioned.
Proactive Defense: By cataloging vulnerabilities, CVE allows for proactive patching and mitigation strategies, turning reactive cybersecurity into a more predictive and preventive practice.

Celebrating Milestones

This anniversary isn’t just about numbers; it’s about milestones:

Growth: From a nascent project to a mammoth database, CVE’s growth mirrors the expansion of the internet itself.
Community: Over 400 CVE Numbering Authorities (CNAs) across 40 countries now contribute, showcasing a vibrant, global effort in cybersecurity.
Innovation: The program has not just adapted but led with innovations like the integration with other standards bodies, enhancing its reach and effectiveness.

Looking Ahead

As we celebrate, we also look to the future. Cybersecurity is an ever-evolving battlefield, with new technologies like AI, IoT, and quantum computing on the horizon. CVE’s role will only grow, adapting to these changes and ensuring that as the digital landscape expands, so will our ability to secure it.

Conclusion

The 25th anniversary of the CVE program is more than a celebration; it reflects how far we’ve come in fortifying our digital lives. Here’s to the CVE program for identifying vulnerabilities and empowering us all to build, innovate, and connect with greater confidence in our digital future. Here’s to another 25 years of vigilance, innovation, and collaboration in cybersecurity.

Who Is Going To Enrich CVEs?

May 30, 2024931 Views

The Last 100+ Days

The NVD posted the notice below on its webpage in mid-February. Since then, nearly 13,000 CVEs have not been enriched with CWE, CVSS, and CPE data.

The vulnerability management community was told that it would be addressed at Vulncon this year. At the conference, we were told the enrichment would restart “in the next couple of days” and that a “consortium was being founded” to help guide the NVD. I left hopeful about the NVD’s future and tried hard to present a positive outlook. I spent time defending NVD as the source of the truth at work and in the community, waiting for the enrichment to continue, and closely tracking the backlog as it grew.

I patiently waited for an announcement about the consortium and for the enrichment of CVEs to start again. Neither happened (The NVD did analyze 167 CVEs in April, but 120 CVEs per day were published). On April 25th, the NVD posted an update saying it was still committed to enriching CVEs.

At RSAC in May, CISA announced they would start a program called Vulnrichment and enrich all CVEs that a CNA did not. They have started publishing CVE data they produced in a GitHub Repository and will start publishing it directly to CVE records as an Authorized Data Publisher (ADP). A week ago, I sat through a CVE Automation Working Group meeting where they walked through the plan, and I was once again hopeful that this would help elevate the backlog of CVEs needing enrichment and make their ADP the new source of truth for enrichment data. I started sharing this information and consulting people they would need to update their products to use the new CVE 5.1 Schema to ingest this data.

Yesterday, the NVD posted an announcement on its website stating that it had awarded a contract for additional processing support. The additional support would allow them to return to the processing rates they maintained before February 2024 within the next few months. They will work with CISA to eliminate the backlog by September 30th.

So, Who Is Going To Enrich CVEs?

In the last 100 days, I have spent a lot of professional equity telling people:

We Will Know After Vulncon.
NVD Announced They Will Start Enriching CVEs In A Few Days.
I Don’t know What Is Going On With NVD.
CISA Announced They Are Doing Vulnrichment.
NVD Announced They Will Start Enriching CVEs In A Few Months.

At this point, I don’t know who will enrich CVE data in the future, how they will do it, or whether the data will be correct or useful. This is a terrible place to be.

Predicting CVEs in 2024

January 5, 20241523 Views

Every year, I get asked, “How many CVEs do you think will be published this year?“

I am always willing to take a guess, but last year, I read Time Series Forecasting in Python. As I started to read more about the Kalman Filter, I figured it would work great for predicting CVE growth, so I built a simple model to test it out.

2024 Prediction

My 2024 CVE model using the Kalman Filter is predicting 32,600 published CVEs.

Here is the monthly breakdown:

2023 Review

The model for 2023 underestimated the number of CVEs by 1,670, which I felt was really good for the first attempt.

What is the Kalman Filter?

The Kalman Filter algorithm uses a series of measurements observed over time to produce estimates that tend to be more accurate than those based on a single measurement alone. In essence, it helps predict the future state of a system based on its current state and past trends.

What Python Library Did You Use?

I have been using Darts by Unit8 as it is fully featured and easy to implement.

Code

All the code for this blog post is in this Github Repository, and I plan on automating and updating it as I get more time.

2023 CVE Data Review

January 3, 20247736 Views

2023 marked another year of record growth in CVE data, and I thought it fitting to kick off the new year by delving into these statistics and showcasing some of the more interesting data points.

CVEs By The Numbers

We ended 2023 with 28,902 published CVEs, up over 15% from the 25,081 CVEs published in 2022.

On average, there were 79.18 CVEs published per day.
October was the month with the most CVEs published, with 2,690 or 9.3% of all CVEs for the year.
Tuesdays were the top publishing days, with 6,438 CVEs or 22.3% of all CVEs published.
January 26th had the most CVEs published in a single day, with 348.