CVEdata.com

This report provides a comprehensive analysis of Common Vulnerabilities and Exposures (CVE cvelistV5), CISA Known Exploited Vulnerabilities (KEV), CISA ADP (Vulnrichment), Exploit Prediction Scoring System (EPSS), VulnCheck (VulnCheck KEV) and National Vulnerability Database (NVD CVSS) data.

CVE Growth Over Time

CVE Growth Over Time
Shows the cumulative growth of CVEs over the years, illustrating the increasing pace of vulnerability discovery and disclosure. This also explains why CNAs have become necessary to keep up with the pace of new CVEs.

CVEs that have CVSS scores assigned

CVEs that have CVSS scores assigned
Illustrates the proportion of CVEs that have been assigned CVSS scores versus those that remain unscored, providing insight into the completeness of vulnerability scoring. The number of scored CVEs appears to be mostly coming from the CNAs recently. This does not include CVEs ranked by NVD as they do not appear in cvelistV5.

Average CVSS Score Trends

Average CVSS Score Trends
Shows the evolution of average CVSS scores over time for all CVEs, helping identify if vulnerabilities are becoming more or less severe on average, which they seem to be on average.

Average CISA KEV CVSS Score Trends

Average CISA KEV CVSS Score Trends
Displays the trend of CVSS scores specifically for Known Exploited Vulnerabilities (KEVs), showing how the severity of actively exploited vulnerabilities has changed over time.

Severity Distribution (Stacked)

Severity Distribution (Stacked)
Shows the relative distribution of severity levels as percentages over time, with each severity level stacked to show the complete composition for each year.

CISA KEV Distribution in Total CVE Population

CISA KEV Distribution in Total CVE Population
Shows what percentage of all CVEs are included in the KEV catalog, highlighting how selective the KEV list is compared to the total CVE population.

All CVEs Score Distribution

All CVEs Score Distribution
This shows the CVSS score distribution for all CVEs, highlighting the distribution of scores for all CVEs.

CISA KEV Score Distribution

CISA KEV Score Distribution
This shows the CVSS score distribution for CISA KEV, highlighting the distribution of scores for CISA KEV.

CVSS Score Mathematical Probability for CVSS 2.0

CVSS Score Mathematical Probability for CVSS 2.0
This is a static graph. This visualization shows the theoretical distribution of all possible CVSS 2.0 base scores based on the scoring formula. It helps understand which scores are mathematically more likely to occur based on the CVSS calculation algorithm. You can test this yourself here (try to get to 9.5).

CVSS Score Distribution compared to CVSS Score Mathematical Probability For CVSS 2.0

CVSS Score Distribution compared to CVSS Score Mathematical Probability For CVSS 2.0
This comparison shows the CVSS score distribution between the theoretical probabilistic distribution and the actual distribution for CVSS 2.0..

CVSS Score Mathematical Probability for CVSS 3.x

CVSS Score Mathematical Probability for CVSS 3.x
This is a static graph. This visualization shows the theoretical distribution of all possible CVSS 3.x base scores based on the scoring formula. It helps understand which scores are mathematically more likely to occur based on the CVSS calculation algorithm. You can test this yourself here (try to get to 9.5).

CVSS Score Distribution compared to CVSS Score Mathematical Probability For CVSS 3.x

CVSS Score Distribution compared to CVSS Score Mathematical Probability For CVSS 3.x
This comparison shows the CVSS score distribution between the theoretical probabilistic distribution and the actual distribution for CVSS 3.x.

CVSS Score Mathematical Probability for CVSS 4.0

CVSS Score Mathematical Probability for CVSS 4.0
This is a static graph. This visualization shows the theoretical distribution of all possible CVSS 4.0 base scores based on the scoring formula. It helps understand which scores are mathematically more likely to occur based on the CVSS calculation algorithm. You can test this yourself here (try to get to 9.6).

CVSS Score Distribution compared to CVSS Score Mathematical Probability For CVSS 4.0

CVSS Score Distribution compared to CVSS Score Mathematical Probability For CVSS 4.0
This comparison shows the CVSS score distribution between the theoretical probabilistic distribution and the actual distribution for CVSS 4.0.

Critical CVE Distribution compared to CISA KEV

Critical CVE Distribution compared to CISA KEV
Shows the proportion of critical CVEs (CVSS score ≥ 9.0) that are included in the KEV catalog versus those that are not, helping understand the relationship between severity and exploitation.

CISA KEVs by Year

CISA KEVs by Year
Shows the distribution of Known Exploited Vulnerabilities by the year of their corresponding CVE ID, indicating trends in vulnerability exploitation over time.

Percentage Distribution of CVSS Scores in CISA KEV List

Percentage Distribution of CVSS Scores in CISA KEV List
A pie chart showing the percentage breakdown of CVSS scores by severity level in the KEV list, providing a clear view of the proportion of vulnerabilities at each severity level.

CVE Publication Delays

CVE Publication Delays
Distribution of time delays between CVE reservation and publication dates, showing the typical lifecycle of vulnerability disclosure.

CVE Publication Delays (Log Scale)

CVE Publication Delays (Log Scale)
Log-scale view of publication delays, better highlighting the distribution of both short and long delays in the vulnerability disclosure process.

MITRE vs Non-MITRE CVEs Over Time

MITRE vs Non-MITRE CVEs Over Time
Shows the trend of MITRE vs Non-MITRE CVEs assigners over time.

CVE and CISA KEV Growth Comparison

CVE and CISA KEV Growth Comparison
Compares the growth rates of CVEs and KEVs over time, showing how the actively exploited vulnerability landscape has evolved compared to overall vulnerability discoveries.

CVE Tag Distribution

CVE Tag Distribution
Shows the distribution of different tags used in CVE records, providing insight into the various categories and attributes of vulnerabilities.

Disputed CVEs by Year

Disputed CVEs by Year
Tracks the number of disputed CVEs over time, showing trends in vulnerability contestation and verification processes.

Unscored CVEs by Year

Unscored CVEs by Year
Shows the number and percentage of CVEs without CVSS scores for each year, helping identify trends in scoring coverage and potential gaps in vulnerability assessment.

Unscored CISA KEVs by Year

Unscored CISA KEVs by Year
Displays the number and percentage of Known Exploited Vulnerabilities (KEVs) that lack CVSS scores, highlighting potential gaps in severity assessment for actively exploited vulnerabilities.

Unscored Vulnerabilities Comparison

Unscored Vulnerabilities Comparison
Compares the growth rates of CVEs and KEVs over time, showing how the actively exploited vulnerability landscape has evolved compared to overall vulnerability discoveries.

Percentage of Unscored CVEs

Percentage of Unscored CVEs
Shows the percentage of unscored CVEs and KEVs over time, providing a normalized view of scoring coverage trends between general vulnerabilities and known exploited ones.

CVSS Versions Over Time

CVSS Versions Over Time
Shows the distribution of CVSS versions over time, providing insight into the evolution of vulnerability scoring standards.

CVSS Severity Breakdown of V3.x and V4.0

CVSS Severity Breakdown of V3.x and V4.0
This is a static graph. It shows the distribution of CVSS severity scores for CVSS 3.x and 4.0, which shows that there is not an even breakdown of the various scores. Part of the reason for this but definitely not all, is that there are 101 (0.0 to 10.0 in increments of 0.1) possible values, which is not evenly divisible by five.

Rejected CVEs by Year

Rejected CVEs by Year
Tracks the number of rejected CVEs over time, showing trends in the vulnerability rejection processes.

Actively Exploited CVEs Over Time

Actively Exploited CVEs Over Time
Shows the number of CVEs by year tagged as exploited, providing insight into the current state of exploited vulnerabilities.

CVE with Exploit References over Time

CVE with Exploit References over Time
Shows both the absolute number and percentage of CVEs that have references tagged as exploits, indicating the prevalence of publicly documented exploit code over time.

CVSS Combinations

CVSS Combinations
Shows the distribution of CVSS combinations over time, providing insight into the evolution of vulnerability scoring standards.

CVSS Version Density

CVSS Version Density
Shows the density of CVSS versions over time, providing insight into the evolution of vulnerability scoring standards.

EPSS Score Distribution

EPSS Score Distribution
Shows the distribution of EPSS scores over time, providing insight into the evolution of vulnerability scoring standards.

EPSS Score Distribution (Log Scale)

EPSS Score Distribution (Log Scale)
Shows the distribution of EPSS scores over time on a log scale, providing a clearer view of the distribution of EPSS scores.

EPSS Probability Percentile Distribution

EPSS Probability Percentile Distribution
Shows the distribution of EPSS probability percentiles over time, providing insight into the evolution of vulnerability scoring standards.

CVSS vs EPSS Correlation

CVSS vs EPSS Correlation
Shows the correlation between CVSS and EPSS scores, providing insight into the relationship between the two. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

CISA KEV CVSS vs EPSS Correlation

CISA KEV CVSS vs EPSS Correlation
Shows the correlation between CVSS and EPSS scores for KEV vulnerabilities, providing insight into the relationship between the two. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

EPSS vs CVSS Score Difference Distribution

EPSS vs CVSS Score Difference Distribution
Shows the distribution of the delta between CVSS and EPSS scores, normalized to a 0-100 percent scale. A higher number is more different. Once you see this reaching more than 50% it implies that the bulk of CVSS scores are worse than flip of a coin in terms of likelihood of matching the likeihood according to EPSS. Only scored vulnerabilities are included.

Vulncheck KEV vs CVE

Vulncheck KEV vs CVE
Shows the distribution of Vulncheck KEV vs CVE, providing insight into the relationship between the two. Only scored vulnerabilities are included.

Vulncheck KEV vs CISA KEV

Vulncheck KEV vs CISA KEV
Shows the distribution of Vulncheck KEV vs CISA KEV, providing insight into the relationship between the two. Only scored vulnerabilities are included.

Vulncheck KEV vs CVSS

Vulncheck KEV vs CVSS
Shows the distribution of Vulncheck KEV CVSS scores as rated by CISA ADP/CNA, not NVD.

Top 10 Vendors in VulnCheck Database

Top 10 Vendors in VulnCheck Database
Shows the distribution of the top 10 vendors in the VulnCheck KEV database, providing insight into the companies most often exploited according to Vulncheck KEV.

Vulncheck KEV vs EPSS Correlation

Vulncheck KEV vs EPSS Correlation
Shows the correlation between Vulncheck KEV CVSS scores and EPSS scores for Vulncheck KEV vulnerabilities, providing insight into the relationship between the two. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

CVSS vs EPSS Correlation by Attack Vector

CVSS vs EPSS Correlation by Attack Vector
Shows the correlation between CVSS and EPSS scores for CVSS 3.x and 4.0, providing insight into the relationship between the two. The colors represent the different metrics for the attack vector type. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

CVSS vs EPSS Correlation by Attack Complexity

CVSS vs EPSS Correlation by Attack Complexity
Shows the correlation between CVSS and EPSS scores for CVSS 3.x and 4.0, providing insight into the relationship between the two. The colors represent the different metrics for the attack complexity vector type. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

CVSS vs EPSS Correlation by Privileges Required

CVSS vs EPSS Correlation by Privileges Required
Shows the correlation between CVSS and EPSS scores for CVSS 3.x and 4.0, providing insight into the relationship between the two. The colors represent the different metrics for the privileges required vector type. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

CVSS vs EPSS Correlation by User Interaction

CVSS vs EPSS Correlation by User Interaction
Shows the correlation between CVSS and EPSS scores for CVSS 3.x and 4.0, providing insight into the relationship between the two. The colors represent the different metrics for the user interaction vector type. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

CVSS Score Distribution: Overrepresented CVSS Scores

CVSS Score Distribution: Overrepresented CVSS Scores
Shows the distribution of CVSS scores that are overrepresented in the data, providing insight into which scores seem to be favored. The higher the number the less likely that it matches the probabilistic distribution of CVSS scores based on the probability of landing on any given score. The way to read this is that for every 1 possible mathematical combinations that will cause someone to land on any given CVSS score there is Y number of CVEs. If CVSS scores were equally likely there would be little to no deviation in scores. Only scored vulnerabilities are included.

CVSS Score Overlap: NVD vs CISA ADP/CNA

CVSS Score Overlap: NVD vs CISA ADP/CNA
Shows the overlap of CVEs that have been scored by NVD or by CISA or the delegate CNA. Note that this does not include CVEs that have not been scored by either.

NVD Score Coverage

NVD Score Coverage
Shows the coverage of NVD scores in the data vs CVEs with no CVSS score. The closer to 100% the better the coverage of scored CVEs by NVD.

CVSS Score Distribution: NVD vs CISA ADP/CNA

CVSS Score Distribution: NVD vs CISA ADP/CNA
Shows the distribution of CVSS scores and how they compare when scored by CISA ADP/CNA vs NVD. The way to read this is that the closer to the center the better the agreement. The further from the center the worse the agreement. Only scored vulnerabilities are included.

CVSS Score Delta Distribution: NVD vs CISA ADP/CNA

CVSS Score Delta Distribution: NVD vs CISA ADP/CNA
Shows the distribution of CVSS scores deltas between NVD and CISA ADP/CNA. The closer to zero the more they agree.
Compiled by Robert "RSnake" Hansen. I do not guarantee the correctness of the data or images and further disclaim the reliability of the original data used or how it has been processed or represented in this report. Use your own judgement and do your own research. Use the charts with or without attribution (it's always appreciated), but if you do use it, please include me if you do any additional interesting research.
Report generated on: 2025-04-01