Mapping CVEs Over Time

• 2 min read
← Back to blog

CVE (Common Vulnerabilities and Exposures) is a list of publicly known vulnerabilities. The chart below stacks the count for each year by CVSS rating range. Hover for the per-range and per-year totals.

CVE Counts by Year, Stacked by CVSS Rating Range 2026 bar: solid = YTD through May 7; hatched = annualized projection for the rest of the year 0 10,000 20,000 30,000 40,000 50,000 60,000Number of CVEs 20222023202420252026Year CVSS RangeProjected (rest of 2026)9-108-97-86-75-64-53-42-31-20-1
Data: cvedetails.com Created by Stephen Okita

A few caveats:

  • On the 2026 bar, the solid stack covers Jan 1 through May 7, 2026. The hatched block on top scales that by 365 ÷ 127 — a flat-rate extrapolation that assumes disclosures are uniformly distributed across the year. They aren’t (vendor patch cycles, conference timing and embargoed batch disclosures all skew this), so treat it as a rough upper-bound sketch rather than a forecast.
  • CVE counts are not vulnerability counts in any deep sense. They’re records in a registry. A drop in a low-severity bucket may mean fewer bugs, or it may mean fewer reporters bothering to file.

The trend at the high end (7-10) is real, large, and accelerating. This is the important part.

Comments (0)

Loading comments...