Vulnerability Insights.
338482
Vulnerabilities
Indexed across NVD, CISA KEV, vendor advisories, and other public vulnerability sources. Continuously updated, with CVSS, EPSS, and CWE enrichment.
Data as of March 2026RECENT ACTIVITY
Disclosure velocity.
CVEs PUBLISHED
Last 1 day
200
Last 7 days
1,296
Last 30 days
5,555
CVEs MODIFIED & KEV ADDITIONS
Modified, last 1 day
801
Modified, last 7 days
2,454
Modified, last 30 days
8,713
CISA KEV, last 30 days
25
CVEs published, modified, and added to CISA’s Known Exploited Vulnerabilities list across all tracked sources.
SEVERITY DISTRIBUTION
2025 was the all-time peak.
49,972 CVEs disclosed last year — the highest annual total ever recorded. 2026 is on pace to exceed it.
Critical
High
Medium
Low
Other
2026 (partial)
FULL 39-YEAR HISTORY
| Year | Critical | High | Medium | Low | Other | Total |
|---|---|---|---|---|---|---|
| 2026 | 1,280 | 4,512 | 5,545 | 448 | 1,420 | 13,205 |
| 2026 projected | ~6,068 | ~21,388 | ~26,285 | ~2,124 | ~6,731 | ~62,595 |
| 2025 | 4,176 | 15,555 | 25,815 | 1,269 | 3,157 | 49,972 |
| 2024 | 4,285 | 14,016 | 20,754 | 852 | 797 | 40,704 |
| 2023 | 4,633 | 10,948 | 12,815 | 421 | 2,132 | 30,949 |
| 2022 | 4,247 | 10,159 | 10,175 | 491 | 1,359 | 26,431 |
| 2021 | 2,676 | 8,567 | 8,462 | 444 | 1,801 | 21,950 |
| 2020 | 2,720 | 7,686 | 7,493 | 423 | 900 | 19,222 |
| 2019 | 2,637 | 7,206 | 7,151 | 311 | 1,633 | 18,938 |
| 2018 | 2,597 | 7,541 | 6,204 | 168 | 1,644 | 18,154 |
| 2017 | 2,111 | 6,599 | 5,697 | 235 | 3,471 | 18,113 |
| 2016 | 887 | 2,895 | 2,446 | 221 | 68 | 6,517 |
| 2015 | 48 | 2,351 | 3,506 | 589 | 101 | 6,595 |
| 2014 | 20 | 1,924 | 5,323 | 661 | 80 | 8,008 |
| 2013 | 22 | 1,732 | 2,915 | 518 | 137 | 5,324 |
| 2012 | 21 | 1,722 | 3,035 | 510 | 63 | 5,351 |
| 2011 | 5 | 1,783 | 2,101 | 261 | 22 | 4,172 |
| 2010 | 26 | 2,094 | 2,242 | 277 | 28 | 4,667 |
| 2009 | 13 | 2,734 | 2,788 | 197 | 46 | 5,778 |
| 2008 | 19 | 2,845 | 2,583 | 185 | 32 | 5,664 |
| 2007 | 21 | 3,162 | 3,101 | 232 | 80 | 6,596 |
| 2006 | 11 | 2,763 | 3,325 | 509 | 51 | 6,659 |
| 2005 | 13 | 2,047 | 2,431 | 441 | 78 | 5,010 |
| 2004 | 10 | 973 | 1,265 | 203 | 28 | 2,479 |
| 2003 | 9 | 674 | 747 | 97 | 21 | 1,548 |
| 2002 | 10 | 1,023 | 980 | 143 | 14 | 2,170 |
| 2001 | 12 | 776 | 706 | 182 | 3 | 1,679 |
| 2000 | 2 | 454 | 467 | 96 | 1 | 1,020 |
| 1999 | 3 | 422 | 356 | 113 | 29 | 923 |
| 1998 | 1 | 137 | 85 | 23 | 1 | 247 |
| 1997 | — | 145 | 87 | 20 | 1 | 253 |
| 1996 | 1 | 43 | 21 | 9 | 1 | 75 |
| 1995 | 1 | 17 | 6 | 1 | — | 25 |
| 1994 | — | 14 | 10 | 1 | 1 | 26 |
| 1993 | — | 8 | 3 | 2 | — | 13 |
| 1992 | — | 12 | — | 1 | 1 | 14 |
| 1991 | — | 11 | 4 | — | — | 15 |
| 1990 | — | 8 | 2 | 1 | — | 11 |
| 1989 | — | 2 | 1 | — | — | 3 |
| 1988 | — | 2 | — | — | — | 2 |
CWE TIMELINE
Which weaknesses keep showing up.
Top 10 CWE categories from 2016–2026, by year. Cross-site scripting (CWE-79) sits at the top of nearly every recent year — the ratio of XSS to other weaknesses keeps rising. Click any year to see the full ranked list.
| YEAR | CWE-79improper neutralization of input … | CWE-89improper neutralization of specia… | CWE-787out-of-bounds write | CWE-20improper input validation | CWE-125out-of-bounds read | CWE-352cross-site request forgery (csrf) | CWE-119improper restriction of operation… | CWE-200exposure of sensitive information… | CWE-862missing authorization | CWE-22improper limitation of a pathname… | TOTAL |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2026 | 1,642 | 786 | 345 | 230 | 256 | 237 | 300 | 230 | 818 | 418 | 5,262 |
| 2025 | 8,300 | 3,999 | 1,169 | 683 | 996 | 1,924 | 1,155 | 829 | 2,357 | 1,125 | 22,537 |
| 2024 | 7,146 | 2,661 | 1,996 | 682 | 1,228 | 1,387 | 294 | 800 | 1,767 | 1,066 | 19,027 |
| 2023 | 4,621 | 1,997 | 1,985 | 821 | 987 | 1,174 | 231 | 581 | 767 | 766 | 13,930 |
| 2022 | 3,216 | 1,738 | 2,271 | 751 | 864 | 694 | 339 | 486 | 512 | 743 | 11,614 |
| 2021 | 2,683 | 737 | 1,576 | 683 | 729 | 467 | 296 | 314 | 257 | 539 | 8,281 |
| 2020 | 2,167 | 463 | 1,388 | 831 | 673 | 399 | 184 | 351 | 270 | 431 | 7,157 |
| 2019 | 2,342 | 547 | 1,294 | 927 | 908 | 543 | 481 | 559 | 211 | 481 | 8,293 |
| 2018 | 2,021 | 502 | 863 | 1,281 | 768 | 453 | 1,010 | 1,075 | 67 | 564 | 8,604 |
| 2017 | 1,477 | 504 | 263 | 959 | 712 | 315 | 2,114 | 1,312 | 43 | 275 | 7,974 |
| 2016 | 472 | 94 | 175 | 526 | 90 | 81 | 1,036 | 684 | 2 | 78 | 3,238 |
| TOTAL | 36,087 | 14,028 | 13,325 | 8,374 | 8,211 | 7,674 | 7,440 | 7,221 | 7,071 | 6,486 | 115,917 |
YEAR
TOP 50 CWEs · 2026 (partial year)
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
1,642
02
CWE-862missing authorization
818
03
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
786
04
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
418
05
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
372
06
CWE-787out-of-bounds write
345
07
CWE-98improper control of filename for include/require statement in php program ('php remote file inclusion')
327
08
CWE-121stack-based buffer overflow
318
09
CWE-78improper neutralization of special elements used in an os command ('os command injection')
315
10
CWE-94improper control of generation of code ('code injection')
304
11
CWE-119improper restriction of operations within the bounds of a memory buffer
300
12
CWE-284improper access control
287
13
CWE-125out-of-bounds read
256
14
CWE-352cross-site request forgery (csrf)
237
15
CWE-918server-side request forgery (ssrf)
234
16
CWE-20improper input validation
230
17
CWE-200exposure of sensitive information to an unauthorized actor
230
18
CWE-120buffer copy without checking size of input ('classic buffer overflow')
220
19
CWE-77improper neutralization of special elements used in a command ('command injection')
215
20
CWE-416use after free
214
21
CWE-434unrestricted upload of file with dangerous type
210
22
CWE-639authorization bypass through user-controlled key
207
23
CWE-863incorrect authorization
203
24
CWE-502deserialization of untrusted data
185
25
CWE-770allocation of resources without limits or throttling
185
26
CWE-122heap-based buffer overflow
180
27
CWE-306missing authentication for critical function
179
28
CWE-476null pointer dereference
178
29
CWE-428unquoted search path or element
158
30
CWE-400uncontrolled resource consumption
144
31
CWE-287improper authentication
119
32
CWE-266incorrect privilege assignment
110
33
CWE-269improper privilege management
103
34
CWE-285improper authorization
95
35
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
90
36
CWE-190integer overflow or wraparound
81
37
CWE-404improper resource shutdown or release
69
38
CWE-601url redirection to untrusted site ('open redirect')
66
39
CWE-798use of hard-coded credentials
65
40
CWE-295improper certificate validation
62
41
CWE-427uncontrolled search path element
57
42
CWE-288authentication bypass using an alternate path or channel
54
43
CWE-732incorrect permission assignment for critical resource
53
44
CWE-401missing release of memory after effective lifetime
50
45
CWE-59improper link resolution before file access ('link following')
48
46
CWE-73external control of file name or path
48
47
CWE-276incorrect default permissions
47
48
CWE-522insufficiently protected credentials
45
49
CWE-532insertion of sensitive information into log file
45
50
CWE-347improper verification of cryptographic signature
43
TOP 50 CWEs · 2025
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
8,300
02
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
3,999
03
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
2,569
04
CWE-862missing authorization
2,357
05
CWE-352cross-site request forgery (csrf)
1,924
06
CWE-94improper control of generation of code ('code injection')
1,411
07
CWE-284improper access control
1,253
08
CWE-476null pointer dereference
1,219
09
CWE-787out-of-bounds write
1,169
10
CWE-119improper restriction of operations within the bounds of a memory buffer
1,155
11
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
1,125
12
CWE-416use after free
1,089
13
CWE-125out-of-bounds read
996
14
CWE-78improper neutralization of special elements used in an os command ('os command injection')
903
15
CWE-434unrestricted upload of file with dangerous type
890
16
CWE-121stack-based buffer overflow
880
17
CWE-200exposure of sensitive information to an unauthorized actor
829
18
CWE-120buffer copy without checking size of input ('classic buffer overflow')
823
19
CWE-77improper neutralization of special elements used in a command ('command injection')
764
20
CWE-20improper input validation
683
21
CWE-502deserialization of untrusted data
664
22
CWE-98improper control of filename for include/require statement in php program ('php remote file inclusion')
587
23
CWE-918server-side request forgery (ssrf)
568
24
CWE-401missing release of memory after effective lifetime
567
25
CWE-122heap-based buffer overflow
545
26
CWE-863incorrect authorization
513
27
CWE-306missing authentication for critical function
487
28
CWE-400uncontrolled resource consumption
459
29
CWE-266incorrect privilege assignment
423
30
CWE-639authorization bypass through user-controlled key
422
31
CWE-770allocation of resources without limits or throttling
381
32
CWE-287improper authentication
360
33
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
353
34
CWE-269improper privilege management
348
35
CWE-285improper authorization
329
36
CWE-190integer overflow or wraparound
284
37
CWE-601url redirection to untrusted site ('open redirect')
260
38
CWE-276incorrect default permissions
230
39
CWE-427uncontrolled search path element
224
40
CWE-798use of hard-coded credentials
223
41
CWE-667improper locking
202
42
CWE-732incorrect permission assignment for critical resource
194
43
CWE-497exposure of sensitive system information to an unauthorized control sphere
180
44
CWE-532insertion of sensitive information into log file
178
45
CWE-288authentication bypass using an alternate path or channel
171
46
CWE-404improper resource shutdown or release
161
47
CWE-908use of uninitialized resource
160
48
CWE-295improper certificate validation
153
49
CWE-59improper link resolution before file access ('link following')
144
50
CWE-73external control of file name or path
142
TOP 50 CWEs · 2024
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
7,146
02
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
2,661
03
CWE-787out-of-bounds write
1,996
04
CWE-862missing authorization
1,767
05
CWE-352cross-site request forgery (csrf)
1,387
06
CWE-416use after free
1,258
07
CWE-125out-of-bounds read
1,228
08
CWE-476null pointer dereference
1,149
09
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
1,066
10
CWE-121stack-based buffer overflow
898
11
CWE-78improper neutralization of special elements used in an os command ('os command injection')
801
12
CWE-200exposure of sensitive information to an unauthorized actor
800
13
CWE-94improper control of generation of code ('code injection')
761
14
CWE-434unrestricted upload of file with dangerous type
742
15
CWE-284improper access control
731
16
CWE-20improper input validation
682
17
CWE-120buffer copy without checking size of input ('classic buffer overflow')
679
18
CWE-122heap-based buffer overflow
528
19
CWE-77improper neutralization of special elements used in a command ('command injection')
511
20
CWE-269improper privilege management
422
21
CWE-400uncontrolled resource consumption
422
22
CWE-863incorrect authorization
419
23
CWE-502deserialization of untrusted data
409
24
CWE-401missing release of memory after effective lifetime
393
25
CWE-918server-side request forgery (ssrf)
368
26
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
329
27
CWE-287improper authentication
324
28
CWE-119improper restriction of operations within the bounds of a memory buffer
294
29
CWE-190integer overflow or wraparound
286
30
CWE-639authorization bypass through user-controlled key
280
31
CWE-276incorrect default permissions
279
32
CWE-770allocation of resources without limits or throttling
279
33
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
270
34
CWE-306missing authentication for critical function
268
35
CWE-667improper locking
235
36
CWE-798use of hard-coded credentials
201
37
CWE-532insertion of sensitive information into log file
195
38
CWE-908use of uninitialized resource
183
39
CWE-427uncontrolled search path element
177
40
CWE-601url redirection to untrusted site ('open redirect')
172
41
CWE-285improper authorization
170
42
CWE-59improper link resolution before file access ('link following')
153
43
CWE-732incorrect permission assignment for critical resource
149
44
CWE-922insecure storage of sensitive information
132
45
CWE-522insufficiently protected credentials
130
46
CWE-129improper validation of array index
128
47
CWE-290authentication bypass by spoofing
126
48
CWE-295improper certificate validation
125
49
CWE-203observable discrepancy
122
50
CWE-80improper neutralization of script-related html tags in a web page (basic xss)
120
TOP 50 CWEs · 2023
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
4,621
02
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
1,997
03
CWE-787out-of-bounds write
1,985
04
CWE-352cross-site request forgery (csrf)
1,174
05
CWE-125out-of-bounds read
987
06
CWE-20improper input validation
821
07
CWE-862missing authorization
767
08
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
766
09
CWE-416use after free
645
10
CWE-120buffer copy without checking size of input ('classic buffer overflow')
607
11
CWE-78improper neutralization of special elements used in an os command ('os command injection')
598
12
CWE-200exposure of sensitive information to an unauthorized actor
581
13
CWE-434unrestricted upload of file with dangerous type
522
14
CWE-77improper neutralization of special elements used in a command ('command injection')
519
15
CWE-284improper access control
465
16
CWE-863incorrect authorization
427
17
CWE-94improper control of generation of code ('code injection')
416
18
CWE-400uncontrolled resource consumption
411
19
CWE-287improper authentication
386
20
CWE-269improper privilege management
351
21
CWE-121stack-based buffer overflow
333
22
CWE-476null pointer dereference
268
23
CWE-502deserialization of untrusted data
266
24
CWE-190integer overflow or wraparound
264
25
CWE-122heap-based buffer overflow
256
26
CWE-918server-side request forgery (ssrf)
233
27
CWE-119improper restriction of operations within the bounds of a memory buffer
231
28
CWE-306missing authentication for critical function
215
29
CWE-770allocation of resources without limits or throttling
206
30
CWE-276incorrect default permissions
191
31
CWE-601url redirection to untrusted site ('open redirect')
187
32
CWE-668exposure of resource to wrong sphere
185
33
CWE-798use of hard-coded credentials
184
34
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
176
35
CWE-732incorrect permission assignment for critical resource
166
36
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
162
37
CWE-427uncontrolled search path element
148
38
CWE-532insertion of sensitive information into log file
144
39
CWE-611improper restriction of xml external entity reference
137
40
CWE-522insufficiently protected credentials
135
41
CWE-203observable discrepancy
134
42
CWE-285improper authorization
132
43
CWE-312cleartext storage of sensitive information
129
44
CWE-639authorization bypass through user-controlled key
127
45
CWE-295improper certificate validation
118
46
CWE-59improper link resolution before file access ('link following')
113
47
CWE-126buffer over-read
111
48
CWE-319cleartext transmission of sensitive information
104
49
CWE-367time-of-check time-of-use (toctou) race condition
102
50
CWE-843access of resource using incompatible type ('type confusion')
97
TOP 50 CWEs · 2022
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
3,216
02
CWE-787out-of-bounds write
2,271
03
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
1,738
04
CWE-125out-of-bounds read
864
05
CWE-20improper input validation
751
06
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
743
07
CWE-416use after free
731
08
CWE-352cross-site request forgery (csrf)
694
09
CWE-78improper neutralization of special elements used in an os command ('os command injection')
585
10
CWE-862missing authorization
512
11
CWE-200exposure of sensitive information to an unauthorized actor
486
12
CWE-434unrestricted upload of file with dangerous type
482
13
CWE-120buffer copy without checking size of input ('classic buffer overflow')
459
14
CWE-287improper authentication
416
15
CWE-476null pointer dereference
391
16
CWE-284improper access control
356
17
CWE-119improper restriction of operations within the bounds of a memory buffer
339
18
CWE-269improper privilege management
302
19
CWE-863incorrect authorization
294
20
CWE-400uncontrolled resource consumption
270
21
CWE-77improper neutralization of special elements used in a command ('command injection')
238
22
CWE-190integer overflow or wraparound
238
23
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
236
24
CWE-94improper control of generation of code ('code injection')
232
25
CWE-918server-side request forgery (ssrf)
214
26
CWE-306missing authentication for critical function
210
27
CWE-798use of hard-coded credentials
203
28
CWE-276incorrect default permissions
202
29
CWE-122heap-based buffer overflow
188
30
CWE-707improper neutralization
188
31
CWE-770allocation of resources without limits or throttling
184
32
CWE-502deserialization of untrusted data
177
33
CWE-121stack-based buffer overflow
169
34
CWE-522insufficiently protected credentials
157
35
CWE-601url redirection to untrusted site ('open redirect')
150
36
CWE-617reachable assertion
148
37
CWE-668exposure of resource to wrong sphere
140
38
CWE-732incorrect permission assignment for critical resource
137
39
CWE-639authorization bypass through user-controlled key
130
40
CWE-401missing release of memory after effective lifetime
127
41
CWE-611improper restriction of xml external entity reference
125
42
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
124
43
CWE-427uncontrolled search path element
124
44
CWE-532insertion of sensitive information into log file
117
45
CWE-295improper certificate validation
111
46
CWE-203observable discrepancy
107
47
CWE-59improper link resolution before file access ('link following')
97
48
CWE-285improper authorization
97
49
CWE-1321improperly controlled modification of object prototype attributes ('prototype pollution')
97
50
CWE-755improper handling of exceptional conditions
96
TOP 50 CWEs · 2021
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
2,683
02
CWE-787out-of-bounds write
1,576
03
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
737
04
CWE-125out-of-bounds read
729
05
CWE-20improper input validation
683
06
CWE-416use after free
556
07
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
539
08
CWE-78improper neutralization of special elements used in an os command ('os command injection')
494
09
CWE-352cross-site request forgery (csrf)
467
10
CWE-120buffer copy without checking size of input ('classic buffer overflow')
418
11
CWE-476null pointer dereference
363
12
CWE-269improper privilege management
342
13
CWE-200exposure of sensitive information to an unauthorized actor
314
14
CWE-287improper authentication
302
15
CWE-77improper neutralization of special elements used in a command ('command injection')
300
16
CWE-434unrestricted upload of file with dangerous type
298
17
CWE-119improper restriction of operations within the bounds of a memory buffer
296
18
CWE-863incorrect authorization
293
19
CWE-862missing authorization
257
20
CWE-190integer overflow or wraparound
241
21
CWE-400uncontrolled resource consumption
236
22
CWE-502deserialization of untrusted data
224
23
CWE-121stack-based buffer overflow
197
24
CWE-918server-side request forgery (ssrf)
187
25
CWE-798use of hard-coded credentials
172
26
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
171
27
CWE-94improper control of generation of code ('code injection')
165
28
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
164
29
CWE-732incorrect permission assignment for critical resource
163
30
CWE-284improper access control
157
31
CWE-276incorrect default permissions
155
32
CWE-306missing authentication for critical function
151
33
CWE-522insufficiently protected credentials
131
34
CWE-601url redirection to untrusted site ('open redirect')
131
35
CWE-122heap-based buffer overflow
129
36
CWE-295improper certificate validation
123
37
CWE-312cleartext storage of sensitive information
123
38
CWE-427uncontrolled search path element
123
39
CWE-611improper restriction of xml external entity reference
119
40
CWE-668exposure of resource to wrong sphere
111
41
CWE-770allocation of resources without limits or throttling
109
42
CWE-401missing release of memory after effective lifetime
104
43
CWE-59improper link resolution before file access ('link following')
102
44
CWE-319cleartext transmission of sensitive information
92
45
CWE-203observable discrepancy
88
46
CWE-285improper authorization
88
47
CWE-532insertion of sensitive information into log file
84
48
CWE-755improper handling of exceptional conditions
83
49
CWE-327use of a broken or risky cryptographic algorithm
81
50
CWE-835loop with unreachable exit condition ('infinite loop')
80
TOP 50 CWEs · 2020
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
2,167
02
CWE-787out-of-bounds write
1,388
03
CWE-20improper input validation
831
04
CWE-125out-of-bounds read
673
05
CWE-78improper neutralization of special elements used in an os command ('os command injection')
538
06
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
463
07
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
431
08
CWE-352cross-site request forgery (csrf)
399
09
CWE-120buffer copy without checking size of input ('classic buffer overflow')
391
10
CWE-416use after free
380
11
CWE-200exposure of sensitive information to an unauthorized actor
351
12
CWE-287improper authentication
351
13
CWE-269improper privilege management
274
14
CWE-862missing authorization
270
15
CWE-306missing authentication for critical function
254
16
CWE-434unrestricted upload of file with dangerous type
231
17
CWE-400uncontrolled resource consumption
228
18
CWE-276incorrect default permissions
203
19
CWE-190integer overflow or wraparound
202
20
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
192
21
CWE-522insufficiently protected credentials
191
22
CWE-476null pointer dereference
187
23
CWE-119improper restriction of operations within the bounds of a memory buffer
184
24
CWE-798use of hard-coded credentials
184
25
CWE-863incorrect authorization
183
26
CWE-732incorrect permission assignment for critical resource
176
27
CWE-502deserialization of untrusted data
158
28
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
155
29
CWE-77improper neutralization of special elements used in a command ('command injection')
153
30
CWE-295improper certificate validation
138
31
CWE-918server-side request forgery (ssrf)
119
32
CWE-284improper access control
113
33
CWE-59improper link resolution before file access ('link following')
110
34
CWE-319cleartext transmission of sensitive information
110
35
CWE-611improper restriction of xml external entity reference
108
36
CWE-427uncontrolled search path element
105
37
CWE-94improper control of generation of code ('code injection')
102
38
CWE-601url redirection to untrusted site ('open redirect')
101
39
CWE-532insertion of sensitive information into log file
93
40
CWE-327use of a broken or risky cryptographic algorithm
85
41
CWE-755improper handling of exceptional conditions
82
42
CWE-401missing release of memory after effective lifetime
79
43
CWE-312cleartext storage of sensitive information
74
44
CWE-347improper verification of cryptographic signature
73
45
CWE-843access of resource using incompatible type ('type confusion')
70
46
CWE-917improper neutralization of special elements used in an expression language statement ('expression language injection')
68
47
CWE-203observable discrepancy
66
48
CWE-1321improperly controlled modification of object prototype attributes ('prototype pollution')
66
49
CWE-770allocation of resources without limits or throttling
64
50
CWE-209generation of error message containing sensitive information
61
TOP 50 CWEs · 2019
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
2,342
02
CWE-787out-of-bounds write
1,294
03
CWE-20improper input validation
927
04
CWE-125out-of-bounds read
908
05
CWE-416use after free
574
06
CWE-200exposure of sensitive information to an unauthorized actor
559
07
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
547
08
CWE-352cross-site request forgery (csrf)
543
09
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
481
10
CWE-119improper restriction of operations within the bounds of a memory buffer
481
11
CWE-78improper neutralization of special elements used in an os command ('os command injection')
394
12
CWE-287improper authentication
274
13
CWE-476null pointer dereference
245
14
CWE-190integer overflow or wraparound
220
15
CWE-732incorrect permission assignment for critical resource
219
16
CWE-862missing authorization
211
17
CWE-434unrestricted upload of file with dangerous type
210
18
CWE-522insufficiently protected credentials
185
19
CWE-306missing authentication for critical function
180
20
CWE-400uncontrolled resource consumption
170
21
CWE-284improper access control
166
22
CWE-269improper privilege management
164
23
CWE-94improper control of generation of code ('code injection')
143
24
CWE-502deserialization of untrusted data
135
25
CWE-611improper restriction of xml external entity reference
135
26
CWE-798use of hard-coded credentials
132
27
CWE-77improper neutralization of special elements used in a command ('command injection')
129
28
CWE-401missing release of memory after effective lifetime
126
29
CWE-863incorrect authorization
122
30
CWE-601url redirection to untrusted site ('open redirect')
118
31
CWE-295improper certificate validation
114
32
CWE-120buffer copy without checking size of input ('classic buffer overflow')
112
33
CWE-59improper link resolution before file access ('link following')
111
34
CWE-532insertion of sensitive information into log file
104
35
CWE-319cleartext transmission of sensitive information
103
36
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
102
37
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
102
38
CWE-770allocation of resources without limits or throttling
99
39
CWE-918server-side request forgery (ssrf)
92
40
CWE-276incorrect default permissions
89
41
CWE-311missing encryption of sensitive data
83
42
CWE-908use of uninitialized resource
75
43
CWE-427uncontrolled search path element
74
44
CWE-755improper handling of exceptional conditions
71
45
CWE-122heap-based buffer overflow
68
46
CWE-312cleartext storage of sensitive information
64
47
CWE-426untrusted search path
64
48
CWE-917improper neutralization of special elements used in an expression language statement ('expression language injection')
63
49
CWE-285improper authorization
57
50
CWE-843access of resource using incompatible type ('type confusion')
57
TOP 50 CWEs · 2018
01
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
2,021
02
CWE-20improper input validation
1,281
03
CWE-200exposure of sensitive information to an unauthorized actor
1,075
04
CWE-119improper restriction of operations within the bounds of a memory buffer
1,010
05
CWE-787out-of-bounds write
863
06
CWE-125out-of-bounds read
768
07
CWE-190integer overflow or wraparound
725
08
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
564
09
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
502
10
CWE-352cross-site request forgery (csrf)
453
11
CWE-416use after free
432
12
CWE-476null pointer dereference
340
13
CWE-78improper neutralization of special elements used in an os command ('os command injection')
335
14
CWE-287improper authentication
301
15
CWE-732incorrect permission assignment for critical resource
226
16
CWE-400uncontrolled resource consumption
211
17
CWE-611improper restriction of xml external entity reference
188
18
CWE-434unrestricted upload of file with dangerous type
178
19
CWE-311missing encryption of sensitive data
170
20
CWE-94improper control of generation of code ('code injection')
166
21
CWE-798use of hard-coded credentials
143
22
CWE-295improper certificate validation
128
23
CWE-502deserialization of untrusted data
127
24
CWE-522insufficiently protected credentials
124
25
CWE-269improper privilege management
119
26
CWE-772missing release of resource after effective lifetime
116
27
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
114
28
CWE-835loop with unreachable exit condition ('infinite loop')
113
29
CWE-863incorrect authorization
110
30
CWE-704incorrect type conversion or cast
95
31
CWE-284improper access control
93
32
CWE-601url redirection to untrusted site ('open redirect')
85
33
CWE-426untrusted search path
76
34
CWE-918server-side request forgery (ssrf)
75
35
CWE-77improper neutralization of special elements used in a command ('command injection')
72
36
CWE-415double free
71
37
CWE-532insertion of sensitive information into log file
69
38
CWE-862missing authorization
67
39
CWE-120buffer copy without checking size of input ('classic buffer overflow')
61
40
CWE-121stack-based buffer overflow
60
41
CWE-843access of resource using incompatible type ('type confusion')
58
42
CWE-306missing authentication for critical function
54
43
CWE-59improper link resolution before file access ('link following')
50
44
CWE-384session fixation
49
45
CWE-319cleartext transmission of sensitive information
48
46
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
45
47
CWE-122heap-based buffer overflow
45
48
CWE-506embedded malicious code
44
49
CWE-326inadequate encryption strength
43
50
CWE-404improper resource shutdown or release
42
TOP 50 CWEs · 2017
01
CWE-119improper restriction of operations within the bounds of a memory buffer
2,114
02
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
1,477
03
CWE-200exposure of sensitive information to an unauthorized actor
1,312
04
CWE-20improper input validation
959
05
CWE-125out-of-bounds read
712
06
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
504
07
CWE-476null pointer dereference
344
08
CWE-352cross-site request forgery (csrf)
315
09
CWE-416use after free
295
10
CWE-284improper access control
278
11
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
275
12
CWE-787out-of-bounds write
263
13
CWE-287improper authentication
232
14
CWE-190integer overflow or wraparound
223
15
CWE-295improper certificate validation
179
16
CWE-772missing release of resource after effective lifetime
170
17
CWE-78improper neutralization of special elements used in an os command ('os command injection')
158
18
CWE-426untrusted search path
140
19
CWE-400uncontrolled resource consumption
137
20
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
112
21
CWE-611improper restriction of xml external entity reference
107
22
CWE-77improper neutralization of special elements used in a command ('command injection')
106
23
CWE-835loop with unreachable exit condition ('infinite loop')
102
24
CWE-269improper privilege management
95
25
CWE-601url redirection to untrusted site ('open redirect')
95
26
CWE-798use of hard-coded credentials
95
27
CWE-434unrestricted upload of file with dangerous type
93
28
CWE-94improper control of generation of code ('code injection')
91
29
CWE-732incorrect permission assignment for critical resource
89
30
CWE-502deserialization of untrusted data
69
31
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
66
32
CWE-369divide by zero
57
33
CWE-415double free
48
34
CWE-522insufficiently protected credentials
48
35
CWE-617reachable assertion
45
36
CWE-918server-side request forgery (ssrf)
45
37
CWE-326inadequate encryption strength
44
38
CWE-862missing authorization
43
39
CWE-427uncontrolled search path element
42
40
CWE-770allocation of resources without limits or throttling
41
41
CWE-120buffer copy without checking size of input ('classic buffer overflow')
39
42
CWE-59improper link resolution before file access ('link following')
37
43
CWE-306missing authentication for critical function
37
44
CWE-384session fixation
34
45
CWE-704incorrect type conversion or cast
32
46
CWE-532insertion of sensitive information into log file
31
47
CWE-863incorrect authorization
31
48
CWE-319cleartext transmission of sensitive information
28
49
CWE-834excessive iteration
28
50
CWE-327use of a broken or risky cryptographic algorithm
27
TOP 50 CWEs · 2016
01
CWE-119improper restriction of operations within the bounds of a memory buffer
1,036
02
CWE-200exposure of sensitive information to an unauthorized actor
684
03
CWE-20improper input validation
526
04
CWE-79improper neutralization of input during web page generation ('cross-site scripting')
472
05
CWE-284improper access control
399
06
CWE-787out-of-bounds write
175
07
CWE-416use after free
157
08
CWE-89improper neutralization of special elements used in an sql command ('sql injection')
94
09
CWE-125out-of-bounds read
90
10
CWE-476null pointer dereference
84
11
CWE-352cross-site request forgery (csrf)
81
12
CWE-22improper limitation of a pathname to a restricted directory ('path traversal')
78
13
CWE-190integer overflow or wraparound
70
14
CWE-287improper authentication
51
15
CWE-362concurrent execution using shared resource with improper synchronization ('race condition')
46
16
CWE-78improper neutralization of special elements used in an os command ('os command injection')
31
17
CWE-77improper neutralization of special elements used in a command ('command injection')
29
18
CWE-94improper control of generation of code ('code injection')
24
19
CWE-611improper restriction of xml external entity reference
19
20
CWE-120buffer copy without checking size of input ('classic buffer overflow')
16
21
CWE-285improper authorization
15
22
CWE-345insufficient verification of data authenticity
13
23
CWE-601url redirection to untrusted site ('open redirect')
13
24
CWE-772missing release of resource after effective lifetime
13
25
CWE-400uncontrolled resource consumption
12
26
CWE-798use of hard-coded credentials
12
27
CWE-269improper privilege management
11
28
CWE-434unrestricted upload of file with dangerous type
11
29
CWE-74improper neutralization of special elements in output used by a downstream component ('injection')
10
30
CWE-502deserialization of untrusted data
10
31
CWE-835loop with unreachable exit condition ('infinite loop')
10
32
CWE-369divide by zero
9
33
CWE-59improper link resolution before file access ('link following')
8
34
CWE-426untrusted search path
8
35
CWE-704incorrect type conversion or cast
8
36
CWE-843access of resource using incompatible type ('type confusion')
8
37
CWE-918server-side request forgery (ssrf)
8
38
CWE-415double free
7
39
CWE-532insertion of sensitive information into log file
7
40
CWE-401missing release of memory after effective lifetime
6
41
CWE-113improper neutralization of crlf sequences in http headers ('http request/response splitting')
4
42
CWE-172encoding error
4
43
CWE-295improper certificate validation
4
44
CWE-326inadequate encryption strength
4
45
CWE-93improper neutralization of crlf sequences ('crlf injection')
3
46
CWE-129improper validation of array index
3
47
CWE-134use of externally-controlled format string
3
48
CWE-276incorrect default permissions
3
49
CWE-640weak password recovery mechanism for forgotten password
3
50
CWE-122heap-based buffer overflow
2
* 2026 is partial-year data through March.
CVSS DISTRIBUTION
Severity, across all 338,482 CVEs.
Grouped by CVSS severity band. Critical (9.0+) and High (7.0+) together account for roughly half the catalog — a baseline reminder that the average disclosed CVE is not low-severity.
Critical
CVSS 9.0 – 10.0
42,791 (12.6%)
High
CVSS 7.0 – 8.9
115,288 (34.1%)
Medium
CVSS 4.0 – 6.9
150,647 (44.5%)
Low
CVSS 0.1 – 3.9
10,533 (3.1%)
Unscored
CVSS Other / unscored
19,223 (5.7%)
TOP 10 INDIVIDUAL SCORES
LATEST DISCLOSURES
10 most recent CVEs.
Newly published vulnerability records, ordered by publication time. CVSS scores arrive after initial disclosure — recent entries may show as unscored until enrichment completes.
CVE-2026-3278
High · 7.4
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ ZENworks Service Desk allows Cross-Site Scripting (XSS).
Published 2026-03-18
CVE-2026-32694
Medium · 6.6
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership.
Published 2026-03-18
CVE-2026-25449
Critical · 9.8
Deserialization of Untrusted Data vulnerability in Shinetheme Traveler allows Object Injection.This issue affects Traveler: from n/a before 3.2.8.1.
Published 2026-03-18
CVE-2026-32693
High · 8.8
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets.
Published 2026-03-18
CVE-2026-32692
High · 7.6
An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions.
Published 2026-03-18
CVE-2026-32691
Medium · 5.3
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret.
Published 2026-03-18
CVE-2026-33265
Medium · 6.3
In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.
Published 2026-03-18
CVE-2025-41258
High · 8.0
LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.
Published 2026-03-18
CVE-2026-23248
Unscored
In the Linux kernel, the following vulnerability has been resolved:
Published 2026-03-18
CVE-2026-23247
Unscored
In the Linux kernel, the following vulnerability has been resolved:
Published 2026-03-18
HOW THIS DATA IS COLLECTED
Where the numbers come from.
Sources
NVD primary feed, CISA KEV catalog, vendor security advisories, and other public vulnerability sources. CVE entries reconciled across sources to a single canonical record.
Enrichment
CVSS for severity (v2, v3.0, v3.1, v4.0 where available), EPSS for exploitation likelihood, CWE mapping for vulnerability classification, and CISA KEV flags for known exploitation.
Cadence
Records ingest continuously. Initial publications often arrive without CVSS scoring; scores fill in as CNAs and analysts complete enrichment over the following days.
Build on the live corpus through the Vulnerability APIs — CVE search, CVE detail, and the underlying scoring.
CONTINUE EXPLORING
Explore more signal.
INSIGHTS · DOMAIN
Domain Insights
391M+ domains tracked across all TLDs. Top TLDs, naming trends, and daily registration volume.
See Domain Insights API · VULNERABILITY SEARCHVulnerability Search API
Query the same 338K+ CVE corpus by vendor, product, severity, EPSS percentile, or any combination. Live data, no snapshot lag.
See API API · CVE DETAILVulnerability Detail API
Full record for any CVE: CVSS scoring across versions, EPSS exploitation likelihood, CWE classification, and CISA KEV flags.
See APIBUILD ON THIS DATA
Get this data through the API.
The numbers above are point-in-time snapshots. The underlying CVE corpus is live and queryable through Deepinfo’s Vulnerability APIs — same data, with full enrichment metadata.