CVE Intelligence · Data Story · Updated 6th April 2026

The vulnerability landscape
is not slowing down.

Every day, dozens of new Common Vulnerabilities and Exposures are catalogued, scored, and tracked. Some will quietly expire. Others will be weaponized within hours. This is a look at what the data actually tells us.

0
CVEs tracked (recently)
0
in CISA KEV
0
critical severity

This analysis is just a snapshot. View the live dashboard →

You might also want to see my repo →

— chapter 01

Volume has become the new threat vector.

The NVD has been cataloguing vulnerabilities since 1999. For the first decade, volume grew steadily but manageably. Then came the software explosion — cloud, mobile, open source — and with it, an exponential surge in reported CVEs.

2010
11,094 CVEs published — the first year to break 10k. Security teams called it a turning point.
2020
171,681 CVEs. Remote work forces a massive attack surface expansion. VPNs and conferencing tools dominate the headlines.
2022
175,776 CVEs. Log4Shell fallout still reverberating. Supply chain attacks reach board-level awareness.
2026
122,585+ CVEs within only 3 months — a new record. AI-assisted code generation begins raising questions about the future of cybersecurity.
Insight
Volume alone doesn't determine risk. A team that patches 80% of criticals fast beats one that patches 100% of everything — slowly.
— chapter 02

Severity: most are serious. A few are catastrophic.

CVSS scores divide CVEs into four buckets. Critical and High together account for roughly half of all reported vulnerabilities — and represent the realistic attack surface for any organization.

Critical (CVSS 9.0–10)10.3%
High (CVSS 7.0–8.9)36.3%
Medium (CVSS 4.0–6.9)40.1%
Low (CVSS 0.1–3.9)13.3%

But CVSS alone is a static snapshot. It measures theoretical severity — not the probability that a specific CVE will actually be exploited in the wild.

— chapter 03

EPSS asks a different question: will this actually be exploited?

The Exploit Prediction Scoring System (EPSS) produces a 0–1 probability score updated daily, drawing on threat intelligence, CVE metadata, and observed exploitation patterns. The gap between CVSS and EPSS reveals which "critical" bugs are real emergencies — and which can wait.

CVE-2021-44228
0.94
Log4Shell — exploited within hours of disclosure
CVE-2023-44487
0.94
HTTP/2 Rapid Reset — record-breaking DDoS amplification
CVE-2024-21762
0.93
Fortinet FortiOS out-of-bounds write, actively exploited
CVE-2022-30190
0.94
Follina — MSDT code exec, weaponized in phishing campaigns
The triage paradox
Only ~3% of published CVEs ever achieve an EPSS score above 0.5. Prioritizing by EPSS cuts remediation workload by over 85% while covering the actual threat.
— chapter 04

CISA KEV: the list that matters most.

The Known Exploited Vulnerabilities catalog is CISA's curated list of CVEs confirmed to be actively exploited. Every entry has a mandatory remediation deadline for federal agencies — and represents a real threat any organization should take seriously.

High
CVE-2023-4966 · Citrix Bleed Session token hijacking — attackers bypassed MFA and accessed sensitive systems at major banks and government agencies.
Critical
CVE-2024-3400 · PAN-OS Command injection in GlobalProtect gateway — zero-day exploited before patch availability, targeting critical infrastructure.
Critical
CVE-2023-20198 · Cisco IOS XE Privilege escalation creating rogue admin accounts — tens of thousands of devices compromised within days of disclosure.
Critical
CVE-2022-47966 · ManageEngine Remote code execution across 24 ManageEngine products — nation-state actors linked to exploitation campaigns.
— chapter 05

Vendors most represented in the KEV.

When a vendor appears repeatedly in the KEV, it signals structural exposure — either code quality issues, widespread deployment, or attacker interest in that ecosystem. The top five tell a familiar story.

OpenClaw228 entries
Google226 entries
Linux189 entries
Apple162 entries
Microsoft121 entries

OpenClaw's dominance reflects its recent hype. Google's share is dictated by the number of products and the range of clients they have rather than being a warning signal.

— conclusion

What the data demands of us.

A CVE dashboard is not a status display — it's a decision engine. Three principles emerge from the data every time.

The data-driven patch playbook
  • EPSS over CVSS for triage. A CVSS 9.8 with EPSS 0.02 can wait. A CVSS 7.5 with EPSS 0.91 cannot.
  • KEV is your SLA. Any CVE on the Known Exploited Vulnerabilities list should be treated as a production incident — not a scheduled ticket.
  • Vendor concentration creates exposure. If your stack leans heavily on one vendor with recurring KEV entries, that's an architectural risk, not just an ops problem.
  • Speed beats completeness. Patching 70% of criticals within 48 hours is more effective than patching 100% in three weeks.