CVEdata.com

Shows the cumulative growth of CVEs over the years, illustrating the increasing pace of vulnerability discovery and disclosure. This also explains why CNAs have become necessary to keep up with the pace of new CVEs.

Illustrates the proportion of CVEs that have been assigned CVSS scores versus those that remain unscored, providing insight into the completeness of vulnerability scoring. The number of scored CVEs appears to be mostly coming from the CNAs recently. This does not include CVEs ranked by NVD as they do not appear in cvelistV5.

Shows the evolution of average CVSS scores over time for all CVEs, helping identify if vulnerabilities are becoming more or less severe on average, which they seem to be on average.

Displays the trend of CVSS scores specifically for Known Exploited Vulnerabilities (KEVs), showing how the severity of actively exploited vulnerabilities has changed over time.

Shows the relative distribution of severity levels as percentages over time, with each severity level stacked to show the complete composition for each year.

Displays trend lines for each severity level over time, showing how the proportion of different severity levels has evolved and identifying long-term patterns. There does seem to be an increasingly large medium severity cohort.

Shows what percentage of all CVEs are included in the KEV catalog, highlighting how selective the KEV list is compared to the total CVE population.

This shows the CVSS score distribution for all CVEs, highlighting the distribution of scores for all CVEs.

This shows the CVSS score distribution for CISA KEV, highlighting the distribution of scores for CISA KEV.

This is a static graph. This visualization shows the theoretical distribution of all possible CVSS 2.0 base scores based on the scoring formula. It helps understand which scores are mathematically more likely to occur based on the CVSS calculation algorithm. You can test this yourself here (try to get to 9.5).

This comparison shows the CVSS score distribution between the theoretical probabilistic distribution and the actual distribution for CVSS 2.0..

This is a static graph. This visualization shows the theoretical distribution of all possible CVSS 3.x base scores based on the scoring formula. It helps understand which scores are mathematically more likely to occur based on the CVSS calculation algorithm. You can test this yourself here (try to get to 9.5).

This comparison shows the CVSS score distribution between the theoretical probabilistic distribution and the actual distribution for CVSS 3.x.

This is a static graph. This visualization shows the theoretical distribution of all possible CVSS 4.0 base scores based on the scoring formula. It helps understand which scores are mathematically more likely to occur based on the CVSS calculation algorithm. You can test this yourself here (try to get to 9.6).

This comparison shows the CVSS score distribution between the theoretical probabilistic distribution and the actual distribution for CVSS 4.0.

Shows the proportion of critical CVEs (CVSS score ≥ 9.0) that are included in the KEV catalog versus those that are not, helping understand the relationship between severity and exploitation.

Shows the distribution of Known Exploited Vulnerabilities by the year of their corresponding CVE ID, indicating trends in vulnerability exploitation over time.

A pie chart showing the percentage breakdown of CVSS scores by severity level in the KEV list, providing a clear view of the proportion of vulnerabilities at each severity level.

Distribution of time delays between CVE reservation and publication dates, showing the typical lifecycle of vulnerability disclosure.

Log-scale view of publication delays, better highlighting the distribution of both short and long delays in the vulnerability disclosure process.

Shows the trend of MITRE vs Non-MITRE CVEs assigners over time.

Compares the growth rates of CVEs and KEVs over time, showing how the actively exploited vulnerability landscape has evolved compared to overall vulnerability discoveries.

Shows the distribution of different tags used in CVE records, providing insight into the various categories and attributes of vulnerabilities.

Tracks the number of disputed CVEs over time, showing trends in vulnerability contestation and verification processes.

Shows the number and percentage of CVEs without CVSS scores for each year, helping identify trends in scoring coverage and potential gaps in vulnerability assessment.

Displays the number and percentage of Known Exploited Vulnerabilities (KEVs) that lack CVSS scores, highlighting potential gaps in severity assessment for actively exploited vulnerabilities.

Compares the growth rates of CVEs and KEVs over time, showing how the actively exploited vulnerability landscape has evolved compared to overall vulnerability discoveries.

Shows the percentage of unscored CVEs and KEVs over time, providing a normalized view of scoring coverage trends between general vulnerabilities and known exploited ones.

Shows the distribution of CVSS versions over time, providing insight into the evolution of vulnerability scoring standards.

This is a static graph. It shows the distribution of CVSS severity scores for CVSS 3.x and 4.0, which shows that there is not an even breakdown of the various scores. Part of the reason for this but definitely not all, is that there are 101 (0.0 to 10.0 in increments of 0.1) possible values, which is not evenly divisible by five.

Tracks the number of rejected CVEs over time, showing trends in the vulnerability rejection processes.

Shows the number of CVEs by year tagged as exploited, providing insight into the current state of exploited vulnerabilities.

Shows both the absolute number and percentage of CVEs that have references tagged as exploits, indicating the prevalence of publicly documented exploit code over time.

Shows the distribution of CVSS combinations over time, providing insight into the evolution of vulnerability scoring standards.

Shows the density of CVSS versions over time, providing insight into the evolution of vulnerability scoring standards.

Shows the distribution of EPSS scores over time, providing insight into the evolution of vulnerability scoring standards.

Shows the distribution of EPSS scores over time on a log scale, providing a clearer view of the distribution of EPSS scores.

Shows the distribution of EPSS probability percentiles over time, providing insight into the evolution of vulnerability scoring standards.

Shows the correlation between CVSS and EPSS scores, providing insight into the relationship between the two. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

Shows the correlation between CVSS and EPSS scores for KEV vulnerabilities, providing insight into the relationship between the two. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

Shows the distribution of the delta between CVSS and EPSS scores, normalized to a 0-100 percent scale. A higher number is more different. Once you see this reaching more than 50% it implies that the bulk of CVSS scores are worse than flip of a coin in terms of likelihood of matching the likeihood according to EPSS. Only scored vulnerabilities are included.

Shows the distribution of Vulncheck KEV vs CVE, providing insight into the relationship between the two. Only scored vulnerabilities are included.

Shows the distribution of Vulncheck KEV vs CISA KEV, providing insight into the relationship between the two. Only scored vulnerabilities are included.

Shows the distribution of Vulncheck KEV CVSS scores as rated by CISA ADP/CNA, not NVD.

Shows the distribution of the top 10 vendors in the VulnCheck KEV database, providing insight into the companies most often exploited according to Vulncheck KEV.

Shows the correlation between Vulncheck KEV CVSS scores and EPSS scores for Vulncheck KEV vulnerabilities, providing insight into the relationship between the two. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

Shows the correlation between CVSS and EPSS scores for CVSS 3.x and 4.0, providing insight into the relationship between the two. The colors represent the different metrics for the attack vector type. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

Shows the correlation between CVSS and EPSS scores for CVSS 3.x and 4.0, providing insight into the relationship between the two. The colors represent the different metrics for the attack complexity vector type. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

Shows the correlation between CVSS and EPSS scores for CVSS 3.x and 4.0, providing insight into the relationship between the two. The colors represent the different metrics for the privileges required vector type. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

Shows the correlation between CVSS and EPSS scores for CVSS 3.x and 4.0, providing insight into the relationship between the two. The colors represent the different metrics for the user interaction vector type. The further from perfect agreement the worse the correlation. Only scored vulnerabilities are included.

Shows the distribution of CVSS scores that are overrepresented in the data, providing insight into which scores seem to be favored. The higher the number the less likely that it matches the probabilistic distribution of CVSS scores based on the probability of landing on any given score. The way to read this is that for every 1 possible mathematical combinations that will cause someone to land on any given CVSS score there is Y number of CVEs. If CVSS scores were equally likely there would be little to no deviation in scores. Only scored vulnerabilities are included.

Shows the overlap of CVEs that have been scored by NVD or by CISA or the delegate CNA. Note that this does not include CVEs that have not been scored by either.

Shows the coverage of NVD scores in the data vs CVEs with no CVSS score. The closer to 100% the better the coverage of scored CVEs by NVD.

Shows the distribution of CVSS scores and how they compare when scored by CISA ADP/CNA vs NVD. The way to read this is that the closer to the center the better the agreement. The further from the center the worse the agreement. Only scored vulnerabilities are included.

Shows the distribution of CVSS scores deltas between NVD and CISA ADP/CNA. The closer to zero the more they agree.