CVE Statistics 2026: Severity Distribution and Top Affected Vendors

According to NIST’s National Vulnerability Database, 6,153 CVE records were published between April 1 and May 2, 2026, with the mean CVSS base score holding at 6.52 across the window. Critical-severity vulnerabilities accounted for 8.66% of the partial-quarter total, while medium-severity flaws made up 40.99% per the same NIST snapshot, a distribution that complicates the “everything is critical” narrative running through vendor marketing copy.

The figures below come from a primary-source snapshot covering the opening calendar month of the quarter. CVE records are governed by Numbering Authorities under the MITRE-operated CVE Program, which catalogs publicly disclosed cybersecurity vulnerabilities, and NIST’s NVD then enriches each record with CVSS and CWE metadata. The snapshot will be republished as soon as the quarter closes, and the Methodology section discloses the source URL, extraction window, filters, and refresh cadence so readers can trace every figure.

Key Takeaways

• NIST’s NVD published 6,153 CVE records between April 1 and May 2, 2026, an average of approximately 192 CVEs per day across the partial-quarter window.
• Critical-severity flaws made up 8.66% of the total at 533 records, while high-severity flaws accounted for 35.72% at 2,198 records.
• Linux led the vendor breakdown with 248 CVE records, followed by Microsoft at 162 and Google at 147.
• Cross-site scripting (CWE-79) was the most frequent weakness category at 599 records, or 9.74% of the window.
• The window’s mean CVSS base score was 6.52 across all CVEs with a published score, according to NIST.
• NIST flagged 292 CVEs (4.75% of the window) as UNKNOWN severity, awaiting full enrichment.
• Combined SOHO router CVE count (Tenda plus D-Link) reached 128 records, or 2.08% of the window.

Editor’s Choice

• Total CVE records in the Apr 1 to May 2 2026 window: 6,153.
• High-severity records: 2,198 (35.72% share).
• Medium-severity records: 2,522 (40.99% share).
• Low-severity records: 606 (9.85% share).
• CWE-79 (cross-site scripting) records: 599.
• Mean CVSS base score across the window: 6.52.
• Top-10 vendor CVEs sum: 1,144 records, roughly 18.6% of all records in the window.

Recent Developments

• April 8, 2026: According to Microsoft’s Security Update Guide, Microsoft Security Response Center released the April 2026 Patch Tuesday update, addressing approximately 120 CVEs across Windows, Microsoft Office, Azure, and Microsoft Defender, anchoring Microsoft’s third-place vendor rank for the window.
• April 15, 2026: Per Oracle’s Security Alerts page, Oracle published its quarterly Critical Patch Update for April 2026 with more than 380 new security patches across Oracle Database, Fusion Middleware, MySQL, and Java SE, explaining Oracle’s fifth-place rank in the snapshot.
• April 15, 2026: The Apache Struts security team published advisory CVE-2026-31132, addressing a deserialization vulnerability in struts-core 2.x that could allow remote code execution, one of more than 80 CVEs assigned to Apache projects in the window.
• April 22, 2026: According to CISA’s Known Exploited Vulnerabilities catalog, CISA continued routine additions to its catalog through the week of April 22, 2026, with new entries reflecting active in-the-wild exploitation evidence collected by the agency.
• April 29, 2026: Per Google’s Chrome Releases blog, Google Chrome released a stable channel update addressing several use-after-free vulnerabilities reported by external researchers, aligning with the snapshot’s CWE-416 cluster.
• April 2026: NIST continued to communicate ongoing challenges with the analysis and enrichment of CVE records, with NVD staff prioritising CVEs that affect critical infrastructure and high-CVSS vulnerabilities, directly relevant to the 292 UNKNOWN-severity records in the snapshot.

Methodology Behind These CVE Statistics

The data spine for every figure here comes from a single primary-source snapshot of NIST’s National Vulnerability Database, dated 2026-05-02, with a 32-day actual data span. Every figure cited below traces back to this snapshot, with the disclosure block immediately following.

• Source name: National Vulnerability Database (NIST)
• Source URL: https://nvd.nist.gov/developers/vulnerabilities
• Snapshot ID: 2026-Q2
• Extraction date: 2026-05-02T04:25:15+00:00
• Record count: 6,153 CVE records
• Refresh cadence: Republished quarterly as the window closes

Readers comparing year-over-year vendor or CWE rankings should treat the figures as a one-month observation, not a full-quarter total.

Derived cuts, including severity distribution, top vendors, CWE top 10, and mean CVSS, were computed locally from the snapshot’s record set; NIST does not publish those rolling-window aggregates in this form. The full snapshot envelope lives at the path disclosed above and includes a SHA-256 content hash for verification.

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Email address

Subscribe Now

CVE Statistics: Severity Distribution

• CRITICAL severity: 533 records (8.66% of the window).
• HIGH severity: 2,198 records (35.72% of the window).
• MEDIUM severity: 2,522 records (40.99% of the window), the largest single bucket.
• LOW severity: 606 records (9.85% of the window).
• NONE severity: 2 records (0.03% of the window), an unusually small slice.
• UNKNOWN severity: 292 records (4.75% of the window), reflecting NVD’s enrichment backlog.
• Combined high-or-critical share reaches 44.38% of the window, meaning roughly two in five published CVEs warrant accelerated patching attention.
• Medium-and low together account for 50.84% of the window, slightly more than half.

Source: NIST National Vulnerability Database snapshot (see Methodology).

The modal CVE in this window is medium-severity, not critical. Treating every CVE as critical wastes scanner cycles and analyst attention.

Top Affected Vendors

• Linux led the window with 248 CVE records (4.03% of all records), reflecting upstream kernel CVE assignments rather than any single distribution.
• OpenClaw ranked second at 174 records (2.83% of the window), an open-source media-player project surfaced by mass-coordinated disclosure of decoder bugs in early Q2.
• Microsoft ranked third with 162 records (2.63% of the window), aligning with the April Patch Tuesday cadence.
• Google placed fourth at 147 records (2.39% of the window), driven by Chrome and Android security updates.
• Oracle placed fifth at 96 records (1.56% of the window), paced by the April Critical Patch Update.
• Apache placed sixth at 85 records, Tenda seventh at 76, Adobe eighth at 53, D-Link ninth at 52, and Mozilla tenth at 51.
• The top-10 vendors together account for 1,144 records, roughly 18.6% of the window total.

Source: NIST National Vulnerability Database snapshot. Vendor strings derived from CPE vulnerable-configuration entries.

The OpenClaw rank-2 placement surprises readers who expect a household-name vendor in that slot. Mass coordinated disclosure of media-decoder bugs in one open-source project briefly reorders a partial-quarter ranking.

CVSS Score Patterns

• The mean CVSS base score across the window was 6.52, which sits in the upper range of the medium severity band on the CVSS v3.1 scale.
• The 8.66% CRITICAL share corresponds to base scores of 9.0 or higher, per the standard CVSS v3.1 severity bands.
• The 35.72% HIGH share corresponds to base scores between 7.0 and 8.9.
• The 40.99% MEDIUM share corresponds to base scores between 4.0 and 6.9.
• Combined high-and medium-share is 76.71% of the window, representing the bulk of triage workload for typical security teams.
• The 4.75% UNKNOWN share consists of CVEs that NVD has not yet completed enrichment for, so no CVSS base score is currently assigned.

The mean score is a useful single-number summary for capacity planning. It tells a SOC lead that an arbitrary CVE pulled from the snapshot is, on average, medium-severity and worth scanning rather than rushing.

CVE Statistics: Top CWE Categories

• Cross-site scripting (CWE-79) led the snapshot with 599 records, or 9.74% of the window.
• SQL injection (CWE-89) followed with 393 records (6.39%).
• Missing authorization (CWE-862) reached 257 records (4.18%).
• Path traversal (CWE-22) reached 249 records (4.05%).
• OS command injection (CWE-78) reached 228 records (3.71%).
• Use-after-free (CWE-416) reached 200 records (3.25%) of the window, concentrated in browser and kernel code.
• Server-side request forgery (CWE-918) reached 193 records (3.14%), reflecting cloud-API exposure patterns.

Source: NIST National Vulnerability Database snapshot; CWE definitions: MITRE.

By the numbers: Cross-site scripting (CWE-79) led the snapshot at 599 records, 9.74% of all CVEs published in the partial-quarter window, per NIST. The pattern echoes OWASP’s longstanding placement of injection-class flaws at the head of the web-application risk league.

CVE Statistics: Publication Cadence

• The window covers exactly 32 calendar days, from April 1 to May 2, 2026.
• Average daily publication rate worked out to roughly 192 CVEs per day across the window.
• On a per-hour basis, the cadence approximates 27 CVEs per hour, sustained around the clock.
• The earliest CVE publication date in the window was April 1, 2026, and the latest was May 2, 2026.

Annualised, that cadence projects to a higher annual CVE total than the public 2024 and 2025 NVD figures. Whether the pace holds through the rest of the quarter will be visible at the next refresh.

SOHO Router and IoT CVE Cluster

• Tenda accounted for 76 CVE records in the window (1.24% of all records), all in consumer and small-office router firmware.
• D-Link accounted for 52 CVE records (0.85% of the window), also concentrated in router and NAS firmware.
• Tenda and D-Link together reached 128 SOHO router CVEs across the 32-day window.
• The SOHO-router cluster represented 2.08% of all CVEs in the window, despite covering only two vendors out of thousands tracked.

The SOHO-router slice matters because vendor-blog CVE roundups tend to under-count this category – enterprise scanner fleets rarely include consumer routers. Snapshots taken straight from NVD reflect the embedded-systems disclosure cadence as it appears in the public record.

Memory-Safety Bugs

• Use-after-free (CWE-416) reached 200 records in the window, 3.25% of the total, concentrated in browser engines and operating-system kernels.
• Google Chrome’s April 29, 2026, stable update addressed several use-after-free vulnerabilities in V8, Blink, and the Mojo IPC layer, a representative sample of the CWE-416 cluster.
• CWE-416 ranked seventh among all weakness categories tracked in the window, the highest-ranked memory-safety class.
• Use-after-free’s per-day rate works out to approximately 6 records per day, sustained over the 32-day window.

Web Application Vulnerability Spread

• Cross-site scripting (CWE-79) accounted for 599 records in the window.
• SQL injection (CWE-89) accounted for 393 records.
• Path traversal (CWE-22) accounted for 249 records.
• Server-side request forgery (CWE-918) accounted for 193 records.
• Together, these four web-application weakness classes represented 23.3% of all CVEs in the window.
• Combined raw count for the four classes reached 1,434 records over 32 days.

Key finding: Cross-site scripting, SQL injection, path traversal, and server-side request forgery together reached 1,434 CVE records in NIST’s snapshot, 23.3% of the partial-quarter window’s total. Web-application weakness classes continue to dominate the public CVE feed despite years of defensive tooling.

For a deeper view of how API endpoints contribute to this category, the API security breach statistics pillar tracks SSRF and broken-authorization patterns at the API layer specifically.

NVD Enrichment Backlog and UNKNOWN Severity

• A total of 292 CVE records in the window carry an UNKNOWN severity label, 4.75% of the total.
• NIST continued to communicate ongoing challenges with CVE analysis and enrichment, with NVD staff prioritising CVEs that affect critical infrastructure and high-CVSS vulnerabilities.
• Records awaiting full enrichment are flagged in the NVD feed without a complete CVSS base score, CWE mapping, or CPE applicability statement.
• The UNKNOWN-severity records work out to roughly 9 unscored CVEs per day across the window.

An UNKNOWN label does not mean the underlying vulnerability is unimportant. It means NIST has not yet finished assigning a base score or CWE mapping. Security teams should treat the UNKNOWN bucket as a review-manually queue, not a safe-to-ignore pile.

For a broader context on how vulnerability data flows into incident-response programs, the cybersecurity statistics pillar aggregates threat figures across breach cost, ransomware, and CVE trends.

Related coverage includes AI-coding security vulnerability statistics for vulnerabilities in AI-assisted code.

Frequently Asked Questions (FAQs)

Conclusion

The partial-quarter CVE statistics snapshot tells a clear story for SOC analysts and AppSec leads. NVD published 6,153 CVE records across 32 days, with 44.38% classified as high or critical severity and a mean CVSS base score of 6.52. Linux, OpenClaw, Microsoft, Google, and Oracle led the vendor breakdown, while cross-site scripting topped the weakness-class ranking at 599 records.

Across SQ Magazine’s cybersecurity coverage, breach cost climbs annually while security budgets grow at roughly half that rate. SOC teams using primary-source NVD aggregates rather than vendor-blog summaries see the embedded-systems slice that scanner roundups undercount.

The snapshot will refresh at the close of each subsequent quarter, with the next iteration appending the May and June records. Cross-source joins with CISA’s Known Exploited Vulnerabilities catalog and the EPSS exploit-prediction feed are planned for upcoming refreshes; both will surface the exploited-in-the-wild subset of the window without changing the underlying figures cited above.