--- title: "CVE Statistics 2026: Severity Distribution and Top Affected Vendors" date: 2026-05-04 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/05/cve-statistics.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "Statistics" url: "/tag/statistics.md" --- # CVE Statistics 2026: Severity Distribution and Top Affected Vendors According to NIST’s National Vulnerability Database, 6,153 CVE records were published between April 1 and May 2, 2026, with the mean CVSS base score holding at 6.52 across the window. Critical-severity vulnerabilities accounted for 8.66% of the partial-quarter total, while medium-severity flaws made up 40.99% per the same NIST snapshot, a distribution that complicates the “everything is critical” narrative running through vendor marketing copy. The figures below come from a primary-source snapshot covering the opening calendar month of the quarter. CVE records are governed by Numbering Authorities under the MITRE-operated CVE Program, which catalogs publicly disclosed cybersecurity vulnerabilities, and NIST’s NVD then enriches each record with CVSS and CWE metadata. The snapshot will be republished as soon as the quarter closes, and the [Methodology](https://sqmagazine.co.uk/stats-methodology/) section discloses the source URL, extraction window, filters, and refresh cadence so readers can trace every figure. ## Key Takeaways - NIST’s NVD published 6,153 CVE records between April 1 and May 2, 2026, an average of approximately **192 CVEs per day** across the partial-quarter window. - Critical-severity flaws made up **8.66%** of the total at 533 records, while high-severity flaws accounted for **35.72%** at 2,198 records. - Linux led the vendor breakdown with **248** CVE records, followed by [Microsoft](https://sqmagazine.co.uk/microsoft-statistics/) at **162** and Google at **147**. - Cross-site scripting (CWE-79) was the most frequent weakness category at **599** records, or **9.74%** of the window. - The window’s mean CVSS base score was **6.52** across all CVEs with a published score, according to NIST. - NIST flagged **292** CVEs (**4.75%** of the window) as UNKNOWN severity, awaiting full enrichment. - Combined SOHO router CVE count (Tenda plus D-Link) reached 128 records, or **2.08%** of the window. ## Editor’s Choice - Total CVE records in the Apr 1 to May 2 2026 window: **6,153**. - High-severity records: **2,198** (35.72% share). - Medium-severity records: **2,522** (40.99% share). - Low-severity records: **606** (9.85% share). - CWE-79 (cross-site scripting) records: **599**. - Mean CVSS base score across the window: **6.52**. - Top-10 vendor CVEs sum: **1,144** records, roughly **18.6%** of all records in the window. ## Recent Developments - **April 8, 2026:** According to Microsoft’s Security Update Guide, Microsoft Security Response Center released the April 2026 Patch Tuesday update, addressing approximately 120 CVEs across Windows, Microsoft Office, Azure, and Microsoft Defender, anchoring Microsoft’s third-place vendor rank for the window. - **April 15, 2026**: Per Oracle’s Security Alerts page, Oracle published its quarterly Critical Patch Update for April 2026 with more than 380 new security patches across Oracle Database, Fusion Middleware, MySQL, and Java SE, explaining Oracle’s fifth-place rank in the snapshot. - **April 15, 2026**: The Apache Struts security team published advisory CVE-2026-31132, addressing a deserialization vulnerability in struts-core 2.x that could allow [remote](https://sqmagazine.co.uk/remote-work-cybersecurity-statistics/) code execution, one of more than 80 CVEs assigned to Apache projects in the window. - **April 22, 2026**: According to CISA’s Known Exploited Vulnerabilities catalog, CISA continued routine additions to its catalog through the week of April 22, 2026, with new entries reflecting active in-the-wild exploitation evidence collected by the agency. - **April 29, 2026**: Per Google’s Chrome Releases blog, Google Chrome released a stable channel update addressing several use-after-free vulnerabilities reported by external researchers, aligning with the snapshot’s CWE-416 cluster. - **April 2026**: NIST continued to communicate ongoing challenges with the analysis and enrichment of CVE records, with NVD staff prioritising CVEs that affect critical infrastructure and high-CVSS vulnerabilities, directly relevant to the 292 UNKNOWN-severity records in the snapshot. ## Methodology Behind These CVE Statistics The data spine for every figure here comes from a single primary-source snapshot of NIST’s National Vulnerability Database, dated 2026-05-02, with a 32-day actual data span. Every figure cited below traces back to this snapshot, with the disclosure block immediately following. - **Source name:** National Vulnerability Database (NIST) - **Source URL:** - **Snapshot ID:** 2026-Q2 - **Extraction date:** 2026-05-02T04:25:15+00:00 - **Record count:** 6,153 CVE records - **Refresh cadence:** Republished quarterly as the window closes Readers comparing year-over-year vendor or CWE rankings should treat the figures as a one-month observation, not a full-quarter total. Derived cuts, including severity distribution, top vendors, CWE top 10, and mean CVSS, were computed locally from the snapshot’s record set; NIST does not publish those rolling-window aggregates in this form. The full snapshot envelope lives at the path disclosed above and includes a SHA-256 content hash for verification. ## CVE Statistics: Severity Distribution - CRITICAL severity: **533** records (**8.66%** of the window). - HIGH severity: **2,198** records (**35.72%** of the window). - MEDIUM severity: **2,522** records (**40.99%** of the window), the largest single bucket. - LOW severity: **606** records (**9.85%** of the window). - NONE severity: **2** records (**0.03%** of the window), an unusually small slice. - UNKNOWN severity: **292** records (**4.75%** of the window), reflecting NVD’s enrichment backlog. - Combined high-or-critical share reaches **44.38%** of the window, meaning roughly two in five published CVEs warrant accelerated patching attention. - Medium-and low together account for **50.84%** of the window, slightly more than half. SeverityCVE CountShare of WindowCRITICAL5338.66%HIGH2,19835.72%MEDIUM2,52240.99%LOW6069.85%NONE20.03%UNKNOWN2924.75%Total**6,153****100.00%***Source: NIST National Vulnerability Database snapshot (see Methodology).* The modal CVE in this window is medium-severity, not critical. Treating every CVE as critical wastes scanner cycles and analyst attention. ## Top Affected Vendors - [Linux](https://sqmagazine.co.uk/linux-statistics/) led the window with **248** CVE records (**4.03%** of all records), reflecting upstream kernel CVE assignments rather than any single distribution. - OpenClaw ranked second at **174** records (**2.83%** of the window), an open-source media-player project surfaced by mass-coordinated disclosure of decoder bugs in early Q2. - Microsoft ranked third with **162** records (**2.63%** of the window), aligning with the April Patch Tuesday cadence. - [Google](https://sqmagazine.co.uk/google-usage-statistics/) placed fourth at **147** records (**2.39%** of the window), driven by Chrome and Android security updates. - Oracle placed fifth at **96** records (**1.56%** of the window), paced by the April Critical Patch Update. - Apache placed sixth at **85** records, Tenda seventh at **76**, Adobe eighth at **53**, D-Link ninth at **52**, and Mozilla tenth at **51**. - The top-10 vendors together account for **1,144** records, roughly **18.6%** of the window total. RankVendor (CPE)CVE CountShare of Window1linux2484.03%2openclaw1742.83%3microsoft1622.63%4google1472.39%5oracle961.56%6apache851.38%7tenda761.24%8adobe530.86%9dlink520.85%10mozilla510.83%*Source: NIST National Vulnerability Database snapshot. Vendor strings derived from CPE vulnerable-configuration entries.* The OpenClaw rank-2 placement surprises readers who expect a household-name vendor in that slot. Mass coordinated disclosure of media-decoder bugs in one open-source project briefly reorders a partial-quarter ranking. ## CVSS Score Patterns - The mean CVSS base score across the window was **6.52**, which sits in the upper range of the medium severity band on the CVSS v3.1 scale. - The 8.66% CRITICAL share corresponds to base scores of **9.0 or higher**, per the standard CVSS v3.1 severity bands. - The 35.72% HIGH share corresponds to base scores between **7.0 and 8.9**. - The 40.99% MEDIUM share corresponds to base scores between **4.0 and 6.9**. - Combined high-and medium-share is **76.71%** of the window, representing the bulk of triage workload for typical security teams. - The 4.75% UNKNOWN share consists of CVEs that NVD has not yet completed enrichment for, so no CVSS base score is currently assigned. ![CVSS Score Distribution and Severity Share](https://sqmagazine.co.uk/wp-content/uploads/2026/05/cvss-score-distribution-and-severity-share.jpg "CVSS Score Distribution and Severity Share") The mean score is a useful single-number summary for capacity planning. It tells a SOC lead that an arbitrary CVE pulled from the snapshot is, on average, medium-severity and worth scanning rather than rushing. ## CVE Statistics: Top CWE Categories - Cross-site scripting (CWE-79) led the snapshot with **599** records, or **9.74%** of the window. - SQL injection (CWE-89) followed with **393** records (**6.39%**). - Missing authorization (CWE-862) reached **257** records (**4.18%**). - Path traversal (CWE-22) reached **249** records (**4.05%**). - OS command injection (CWE-78) reached **228** records (**3.71%**). - Use-after-free (CWE-416) reached **200** records (**3.25%**) of the window, concentrated in browser and kernel code. - Server-side request forgery (CWE-918) reached **193** records (**3.14%**), reflecting cloud-API exposure patterns. RankCWEDescriptionCVE CountShare1CWE-79Cross-site scripting5999.74%2CWE-89SQL injection3936.39%3CWE-862Missing authorization2574.18%4CWE-22Path traversal2494.05%5CWE-78OS command injection2283.71%6CWE-74Improper neutralization (general injection)2183.54%7CWE-416Use-after-free2003.25%8CWE-94Code injection1993.23%9CWE-918Server-side request forgery1933.14%10CWE-77Command injection (parent of CWE-78)1883.06%*Source: NIST National Vulnerability Database snapshot; CWE definitions: MITRE.* > **By the numbers:** Cross-site scripting (CWE-79) led the snapshot at **599** records, **9.74%** of all CVEs published in the partial-quarter window, per NIST. The pattern echoes OWASP’s longstanding placement of injection-class flaws at the head of the web-application risk league. ## CVE Statistics: Publication Cadence - The window covers exactly **32 calendar days**, from April 1 to May 2, 2026. - Average daily publication rate worked out to roughly **192 CVEs per day** across the window. - On a per-hour basis, the cadence approximates **27 CVEs per hour**, sustained around the clock. - The earliest CVE publication date in the window was **April 1, 2026**, and the latest was **May 2, 2026**. Annualised, that cadence projects to a higher annual CVE total than the public 2024 and 2025 NVD figures. Whether the pace holds through the rest of the quarter will be visible at the next refresh. ## SOHO Router and IoT CVE Cluster - Tenda accounted for **76** CVE records in the window (**1.24%** of all records), all in consumer and small-office router firmware. - D-Link accounted for **52** CVE records (**0.85%** of the window), also concentrated in router and NAS firmware. - Tenda and D-Link together reached **128** SOHO router CVEs across the 32-day window. - The SOHO-router cluster represented **2.08%** of all CVEs in the window, despite covering only two vendors out of thousands tracked. ![Top SOHO Vendors by Vulnerability Count](https://sqmagazine.co.uk/wp-content/uploads/2026/05/top-soho-vendors-by-vulnerability-count.jpg "Top SOHO Vendors by Vulnerability Count") The SOHO-router slice matters because vendor-blog CVE roundups tend to under-count this category – enterprise scanner fleets rarely include consumer routers. Snapshots taken straight from NVD reflect the embedded-systems disclosure cadence as it appears in the public record. ## Memory-Safety Bugs - Use-after-free (CWE-416) reached **200** records in the window, **3.25%** of the total, concentrated in browser engines and operating-system kernels. - Google Chrome’s **April 29, 2026,** stable update addressed several use-after-free vulnerabilities in V8, Blink, and the Mojo IPC layer, a representative sample of the CWE-416 cluster. - CWE-416 ranked seventh among all weakness categories tracked in the window, the highest-ranked memory-safety class. - Use-after-free’s per-day rate works out to approximately **6 records per day**, sustained over the 32-day window. ## Web Application Vulnerability Spread - Cross-site scripting (CWE-79) accounted for **599** records in the window. - SQL injection (CWE-89) accounted for **393** records. - Path traversal (CWE-22) accounted for **249** records. - Server-side request forgery (CWE-918) accounted for **193** records. - Together, these four web-application weakness classes represented **23.3%** of all CVEs in the window. - Combined raw count for the four classes reached **1,434** records over 32 days. > **Key finding:** Cross-site scripting, SQL injection, path traversal, and server-side request forgery together reached **1,434** CVE records in NIST’s snapshot, **23.3%** of the partial-quarter window’s total. Web-application weakness classes continue to dominate the public CVE feed despite years of defensive tooling. For a deeper view of how API endpoints contribute to this category, the [API security breach statistics](https://sqmagazine.co.uk/api-security-breach-statistics/) pillar tracks SSRF and broken-authorization patterns at the API layer specifically. ## NVD Enrichment Backlog and UNKNOWN Severity - A total of **292** CVE records in the window carry an UNKNOWN severity label, **4.75%** of the total. - NIST continued to communicate ongoing challenges with CVE analysis and enrichment, with NVD staff prioritising CVEs that affect critical infrastructure and high-CVSS vulnerabilities. - Records awaiting full enrichment are flagged in the NVD feed without a complete CVSS base score, CWE mapping, or CPE applicability statement. - The UNKNOWN-severity records work out to roughly **9 unscored CVEs per day** across the window. An UNKNOWN label does not mean the underlying vulnerability is unimportant. It means NIST has not yet finished assigning a base score or CWE mapping. Security teams should treat the UNKNOWN bucket as a review-manually queue, not a safe-to-ignore pile. For a broader context on how vulnerability data flows into incident-response programs, the [cybersecurity statistics](https://sqmagazine.co.uk/cybersecurity-statistics/) pillar aggregates threat figures across breach cost, ransomware, and CVE trends. Related coverage includes [AI-coding security vulnerability statistics](https://sqmagazine.co.uk/ai-coding-security-vulnerability-statistics/) for vulnerabilities in AI-assisted code. ## Frequently Asked Questions (FAQs) **How many CVEs did NVD publish in the partial-quarter window?**NIST’s National Vulnerability Database published **6,153** CVE records during the partial-quarter window, averaging approximately **192** records per day. The figure is a partial-quarter snapshot; a full quarter total will be available once May and June records are added at the quarter close. **Which vendor had the most CVEs in the window?**Linux led the snapshot with **248** CVE records, followed by OpenClaw at **174**, Microsoft at **162**, Google at **147**, and Oracle at **96**. Vendor strings come from CPE entries and reflect the upstream project name rather than any single distribution or product line. **What was the mean CVSS score for CVEs in the window?**The mean CVSS base score across CVEs with a published score was **6.52**, sitting in the upper end of the medium-severity band. Critical-severity records accounted for **8.66%** of the window, while high-severity records accounted for **35.72%**. **Why are 292 CVEs marked UNKNOWN?**The **292** UNKNOWN-severity records, **4.75%** of the window, are CVEs that NIST has not yet finished enriching. They lack a complete CVSS base score, CWE mapping, or CPE applicability statement. NIST has communicated an ongoing analysis backlog and is prioritising CVEs that affect critical infrastructure or carry preliminary high-CVSS indicators. **How does NVD differ from the CISA Known Exploited Vulnerabilities catalog?**NVD is the U.S. government repository covering all publicly disclosed CVEs, regardless of whether they are being exploited. CISA’s Known Exploited Vulnerabilities catalog is a narrower list of CVEs with confirmed evidence of active in-the-wild exploitation, requiring an assigned CVE ID, exploitation evidence, and a clear remediation action for inclusion. **When will the snapshot be refreshed?**The current snapshot will refresh at the close of each subsequent quarter, with the next iteration appending the May and June CVE records to the existing window. The Methodology section above lists the current extraction date and will be updated on every refresh. ## Conclusion The partial-quarter CVE statistics snapshot tells a clear story for SOC analysts and AppSec leads. NVD published **6,153** CVE records across 32 days, with **44.38%** classified as high or critical severity and a mean CVSS base score of **6.52**. Linux, OpenClaw, Microsoft, Google, and Oracle led the vendor breakdown, while cross-site scripting topped the weakness-class ranking at **599** records. Across SQ Magazine’s cybersecurity coverage, [breach cost](https://sqmagazine.co.uk/data-breach-statistics/) climbs annually while security budgets grow at roughly half that rate. SOC teams using primary-source NVD aggregates rather than vendor-blog summaries see the embedded-systems slice that scanner roundups undercount. The snapshot will refresh at the close of each subsequent quarter, with the next iteration appending the May and June records. Cross-source joins with CISA’s Known Exploited Vulnerabilities catalog and the EPSS exploit-prediction feed are planned for upcoming refreshes; both will surface the exploited-in-the-wild subset of the window without changing the underlying figures cited above.