The Evolving CVE Landscape

As security professionals, we often live and die by the release cycle of individual vulnerabilities, yet the overall “topology” of the landscape is often a blur. Sponsored by F5 Labs, this report takes a retrospective view of the last 20 years of the Common Vulnerabilities and Exposures (CVE) process. The report rewards the reader by identifying the “eras” of vulnerability growth—from the initial 321 entries in 1999 to the current flood of hundreds of new disclosures every single week.

The research highlights a dramatic shift in the variety of software flaws being discovered. The number of unique “weaknesses” (CWEs) present in any given month’s disclosures has increased from just 20 to more than 130 over the last decade. While “celebrity” flaws like SQL injection and XSS have peaked and declined, the landscape has become more uniform and diverse, with no single vulnerability type currently dominating the field. This “flattening” reflects a growing and more complex list of responsibilities for modern defenders.

The report also provides a predictive look at the future of vulnerability management. We estimate that by 2025, a typical week will bring 547 new CVEs from 54 brand-new vendors. This accelerating pace, combined with the fact that CVSSv3 scores are averaging higher than their predecessors, means that “monotony and panic” will continue to alternate unless defenders adopt more sophisticated, data-driven prioritization models.

Key Findings

• 547 CVEs Per Week: Vulnerability publication is growing at 10% annually, reaching a projected typical rate of 547 new CVEs per week in 2025.
• 18% Vendor Growth: The number of new software vendors experiencing their first-ever CVE is increasing at a rate of 18% per year.
• 130+ Flaw Types Monthly: The diversity of unique software weaknesses (CWEs) in monthly disclosures has jumped from 20 to more than 130 over the last decade.
• CVSSv3 “High” Baseline: The average severity of vulnerabilities has “increased” from Medium to High (~7.0) due to bureaucratic changes in scoring formulas rather than technical shifts.
• Exploit Source Shift: While older vulnerabilities lived in ExploitDB (up to 33%), newer vulnerabilities are migrating to GitHub, though at a lower overall PoC rate of 5%.
• Wednesdays in April: Statistical modeling reveals that Wednesdays in April are the peak period for “official” vulnerability publications.