Software vulnerabilities are flaws that attackers can exploit to break into systems. Thousands are discovered every year. Most of the data about them is incomprehensible. This page changes that.
Every year, researchers and companies discover more software flaws. A "CVE" is the ID number assigned to each one. The trend line tells a clear story: we're finding more flaws, faster.
As the volume exploded, MITRE authorized companies (called CNAs — CVE Numbering Authorities) to assign their own CVE IDs. Today, companies assign 88% of all CVEs.
MITRE is the organization that originally managed CVE assignment. As the volume exploded, they authorized companies (called CNAs — CVE Numbering Authorities) to assign their own. CNAs include Microsoft, Google, Red Hat, and hundreds of others.
Each vulnerability gets a severity score from 0 to 10. The score measures how much damage it could cause if exploited. Click a category below to learn what each level means.
These are the most dangerous flaws. An attacker could take full control of your system remotely, often without needing a password or any interaction from you. Think: someone can access your entire computer from across the internet. These get emergency patches.
Serious vulnerabilities that could let attackers steal data, crash systems, or gain significant access. They usually require some preconditions (like being on the same network or tricking you into clicking a link), but the damage potential is real.
Moderate-risk flaws. These typically need multiple conditions to exploit and cause limited damage. By themselves they're not emergencies, but attackers sometimes chain several medium-severity bugs together to build a full attack.
Minor issues with minimal direct impact. An attacker would gain very little from exploiting these alone. They're worth fixing eventually, but they don't keep security teams up at night.
CVSS scores aren't evenly distributed. Exploited vulnerabilities cluster at higher scores — but not exclusively. Some medium-severity bugs are heavily targeted too.
When you toggle to "Known Exploited," the distribution shifts dramatically toward higher scores — but not exclusively. Some medium-severity vulnerabilities are heavily exploited too.
The National Vulnerability Database (NVD) fell behind processing the flood of CVEs. You can't prioritize what you can't measure.
CISA (the US Cybersecurity and Infrastructure Security Agency) maintains a list of vulnerabilities that are KNOWN to be actively exploited. Federal agencies are required to patch these.
The high numbers in 2021–2022 are because the catalog launched in November 2021 with a large backfill of historically exploited vulnerabilities. Ongoing additions are lower but steady.
A severity label measures potential damage, not likelihood of attack. Most critical CVEs are never exploited. And many exploited CVEs aren't rated Critical.
100 Critical CVEs — how many are actually exploited?
100 Exploited CVEs — what severity were they?
Proof-of-concept exploit code exists for far more vulnerabilities than are actually exploited in the wild. Having a recipe doesn't mean anyone will cook the dish.
When a vulnerability is discovered, it takes time before it gets an official CVE publication. That delay leaves a gap where the flaw may be known but untracked.
How long between a vulnerability being discovered and its CVE being published?
50% of CVEs are published within 35 days, but 10% take over 296 days. The mean delay of 126 days is dragged up by these outliers.
Comparing scores across CVSS versions is like comparing Fahrenheit to Celsius — the numbers mean different things.
The original scoring system. Simpler formula, fewer inputs. Tended to cluster scores around certain values. Officially retired.
Added "Scope" and refined attack complexity. Better at distinguishing severity levels. Still the dominant version in use today.
The newest version. Adds granularity with supplemental metrics and better reflects modern attack patterns. Adoption is growing but still early.
CVSS scores aren't evenly distributed. The formula's math creates spikes at certain scores — 7.5 and 9.8 appear far more often than 7.4 or 9.7.
The CVSS formula uses discrete inputs (like "Low/High" for complexity) that collapse into certain numeric outputs. This means some scores are mathematically impossible to reach, creating gaps and spikes in the distribution.
EPSS (Exploit Prediction Scoring System) tries to predict which vulnerabilities will actually be exploited in the next 30 days. Unlike CVSS which measures theoretical damage, EPSS measures real-world likelihood.
The upper-left quadrant (high severity, low exploitation probability) is full. Many "critical" vulnerabilities are never exploited. The lower-right deserves more attention than it gets.
The red cells are where security teams should focus. The large gray cell (8,000 high-severity, low-exploitation) represents wasted urgency — "critical" CVEs that nobody actually attacks.
Attackers overwhelmingly target vulnerabilities that are network-accessible, low complexity, no authentication required, no user interaction needed.
Different organizations track exploited vulnerabilities. They don't all agree on what to include.
VulnCheck tracks 3x more exploited vulnerabilities than the US government's official list. All 1,463 CISA KEVs are included in VulnCheck's broader set of 4,395.
Microsoft products account for the most exploited vulnerabilities — not because they're less secure, but because they're the most widely deployed. Attackers go where the users are.
When both NVD and CISA ADP/CNA score the same vulnerability, they agree exactly 84% of the time. But for the remaining 16%, the disagreements can be significant.
Different countries maintain their own vulnerability databases. None of them cover everything.
The European EUVD covers 91% of all CVEs. Japan's JVN covers 82%. Russia's BDU covers just 21%. ENISA's EU KEV is tiny (only 19 entries) but 84% of those overlap with CISA's list.
As CVE volume has exploded, so have quality problems. Over 17,000 CVEs have been rejected — duplicates, errors, and non-vulnerabilities that slipped through the system.
Ransomware groups specifically target known vulnerabilities to break in. Here's how the numbers break down.
38,000+ new vulnerabilities sounds terrifying, but less than 0.5% are ever exploited. The real skill is knowing which ones matter.
The window between disclosure and exploitation has collapsed from a month to days. Fast patching is a survival skill.
94 vulnerabilities added to the government's "known exploited" list in 2025 were from previous years. If it's unpatched, it's useful.
CVSS measures theoretical damage, not real-world likelihood. Only 3.5% of "critical" CVEs are ever actually exploited.
CISA, VulnCheck, NVD, and international databases all disagree. No single source tracks every exploited vulnerability.
Over 17,000 CVEs have been rejected. Scoring coverage only recently improved. The infrastructure for tracking vulnerabilities is catching up but still strained.