Metrics
Use the scroll bar to navigate the data tables.
Published CVE Records
Comparison of published CVE Records by quarter for all years from 1999 to present.
A CVE Record contains descriptive data, (i.e., a brief description and at least one reference) about a vulnerability associated with a CVE ID. CVE Records are published by CVE Numbering Authorities (CNAs).
| Year | 2025 | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Qtr4 | 12,796 | 11,073 | 7,876 | 6,231 | 5,200 | 4,387 | 4,822 | 3,614 | 3,570 | 1,590 | 1,652 | 2,528 | 1,416 | 1,244 | 1,133 | 1,071 | 1,100 | 1,500 | 1,884 | 1,737 | 1,725 | 376 | 154 | 104 | 81 | 393 | 0 |
| Qtr3 | 11,738 | 8,591 | 6,936 | 6,448 | 5,541 | 4,170 | 5,150 | 4,350 | 4,037 | 1,713 | 1,747 | 2,220 | 1,297 | 1,926 | 988 | 1,020 | 1,547 | 1,343 | 1,564 | 1,643 | 1,477 | 741 | 265 | 304 | 573 | 218 | 321 |
| Qtr2 | 11,701 | 11,716 | 7,134 | 6,365 | 5,005 | 5,011 | 4,091 | 4,613 | 3,612 | 1,775 | 1,443 | 1,660 | 1,147 | 1,058 | 901 | 1,408 | 1,381 | 1,279 | 1,887 | 1,887 | 2,013 | 229 | 630 | 593 | 337 | 198 | 0 |
| Qtr1 | 12,009 | 8,697 | 7,015 | 6,015 | 4,415 | 4,807 | 3,245 | 3,935 | 3,426 | 1,379 | 1,652 | 1,540 | 1,282 | 1,060 | 1,128 | 1,140 | 1,704 | 1,551 | 1,987 | 1,618 | 1,493 | 266 | 174 | 690 | 332 | 629 | 0 |
| TOTAL | 48,244 | 40,077 | 28,961 | 25,059 | 20,161 | 18,375 | 17,308 | 16,512 | 14,645 | 6,457 | 6,494 | 7,948 | 5,142 | 5,288 | 4,150 | 4,639 | 5,732 | 5,673 | 7,322 | 6,885 | 6,708 | 1,612 | 1,223 | 1,691 | 1,323 | 1,438 | 321 |
Reserved CVE IDs
Comparison of Reserved CVE IDs by year from 1999 to present.
A “Reserved” CVE ID is the initial state for a CVE Record; when the associated CVE ID is reserved by a CNA.
| Year | 2025 | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Count | 70,729 | 52,316 | 40,051 | 34,553 | 28,506 | 30,680 | 24,179 | 21,407 | 18,196 | 14,472 | 9,959 | 9,465 | 7,334 | 7,370 | 5,630 | 5,379 | 6,094 | 5,968 | 7,607 | 7,077 | 7,041 | 1,357 | 1,209 | 1,909 | 1,445 | 1,178 | 991 |
CVE Record Publications by All CNAs Combined Versus CNA-LRs
Comparison of CVE Records published by all CNAs combined versus CVE Records published by the two Top-Level Root’s (CISA* and MITRE) CNAs of Last Resort (CNA-LRs) from 1999 to present.
As more CNAs are onboarded, the percentage of records published by CNA-LRs will decrease. A smaller percentage for the CNA-LRs is an expected and net positive outcome as this signals that more CNAs are publishing their own CVE Records.
| Year | 2025 | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016-1999 |
|---|---|---|---|---|---|---|---|---|---|---|
| All CNAs | 89% | 85% | 79% | 68% | 65% | 58% | 53% | 53% | 50% | 0% |
| CNA-LRs | 11% | 15% | 21% | 32% | 35% | 42% | 47% | 47% | 50% | 100% |
*Note: CISA became a CNA-LR in calendar year 2020.
CNA Partners Added by Year
Comparison of CVE Numbering Authority (CNA) partners added by year from 1999 to present.
Currently, there are 491 CNAs (488 CNAs and 3 CNA-LRs) from 41 countries and 1 no country affiliation participating in the CVE Program.
Note: Occasionally, CNAs become inactive due to corporate mergers or changes in business activities. In these cases, deactivated CNAs are not removed from the recruitment total CNAs added for a calendar year in the table below. Therefore, the totals by year columns if added together will not match the program’s grand total numbers above.
| Year | 2026 | 2025 | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| January | 6 | 3 | 10 | 4 | 1 | 3 | 3 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| February | 1 | 10 | 7 | 9 | 2 | 1 | 3 | 1 | 2 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | N/A |
| March | TBA | 3 | 5 | 5 | 3 | 9 | 1 | 1 | 1 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| April | TBA | 7 | 4 | 6 | 3 | 5 | 4 | 0 | 2 | 3 | 1 | 0 | 0 | 0 | 0 | 4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| May | TBA | 5 | 9 | 8 | 5 | 1 | 7 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| June | TBA | 4 | 6 | 8 | 5 | 10 | 1 | 1 | 1 | 7 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| July | TBA | 7 | 9 | 4 | 6 | 2 | 4 | 0 | 0 | 4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| August | TBA | 8 | 6 | 8 | 5 | 3 | 1 | 2 | 2 | 6 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| September | TBA | 7 | 8 | 8 | 1 | 8 | 4 | 3 | 1 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| October | TBA | 5 | 7 | 9 | 12 | 9 | 2 | 1 | 0 | 2 | 0 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| November | TBA | 4 | 6 | 9 | 10 | 7 | 4 | 4 | 0 | 1 | 12 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| December | TBA | 1 | 11 | 6 | 3 | 7 | 2 | 2 | 3 | 0 | 7 | 0 | 0 | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| TOTAL | 7 | 64 | 88 | 84 | 56 | 65 | 36 | 16 | 12 | 30 | 23 | 0 | 3 | 0 | 3 | 4 | 1 | 3 | 1 | 1 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | 1 |
CNA Enrichment Recognition
alert
UPDATE: As of June 2, 2025, the “CNA Enrichment Recognition List (ERL)” will be issued monthly based upon a data pull of the previous six months. This is a change from the initial publication schedule of every two weeks with a data pull of the previous 12 months. These changes are informed by a review of existing trends in data change, maintain a regular publication cadence, and better align the ERL with the Inactive CNA Policy.
Future changes to the ERL qualification criteria and reporting may occur over time as the CVE Program continually aims to recognize those CNAs taking on the work to increase the value of CVE Records for downstream consumers, and encourage others to do the same.
Getting more precise and quality vulnerability information in the hands of defenders and downstream customers on a timelier basis helps the cybersecurity community better address risks. Additional vulnerability-related information provides increased transparency, enables vulnerability root cause understanding, and helps prioritize vulnerability and incident response. Information standards and knowledge repositories like CVSS, CWE, and others help provide a common language for this additional information.
In April 2024, the CVE Program highlighted how its data format evolved to better facilitate automation and data enrichment. This means that CNAs, as the authoritative source of vulnerability information within their scope, and — in the case of Supplier CNAs — those with access to the most reliable source for accurate determinations, can easily provide data enrichment directly to a CVE Record as opposed to waiting for a third-party to do so in a less timely and potentially less accurate manner. As such, the CVE Program called on all CNAs to provide this enrichment to their CVE Records directly, and, in so doing, contribute more substantially to the vulnerability management process. Many have answered that call.
In recognition of these CNAs, the CVE Program publishes this “CNA Enrichment Recognition List” once per month. Currently, any CNA who has published a record in the past six months is placed on the list if they have been providing CVSS and CWE information consistently in the recent past. In particular, the requirement is CVSS and CWE information in at least 98% of their records that were published within two weeks of their most recently published record.
For more information about vulnerability information types like CVSS and CWE, see the CVE Record User Guide.
CNA Enrichment Recognition List
Last Updated:
Total CNAs: 256
- Acronis International GmbH
- Adobe Systems Incorporated
- Advanced Micro Devices Inc.
- Airbus
- AlgoSec
- Altera
- Altium
- Amazon
- AMI
- ARC Informatique
- Arista Networks, Inc.
- Armis, Inc.
- Asea Brown Boveri Ltd.
- ASR Microelectronics Co., Ltd.
- ASUSTeK Computer Incorporation
- ASUSTOR Inc.
- ATISoluciones Diseño de Sistemas Electrónicos, S.L.
- Austin Hackers Anonymous
- Autodesk
- Automotive Security Research Group (ASRG)
- Axis Communications AB
- AxxonSoft Limited
- Azure Access Technology
- Bitdefender
- Bizerba SE & Co. KG
- Black Duck Software, Inc.
- Black Lantern Security
- BlackBerry
- Bugcrowd Inc.
- CA Technologies
- Canon EMEA
- Canon Inc.
- Canonical Ltd.
- Carrier Global Corporation
- Centreon
- CERT.PL
- CERT@VDE
- Check Point Software Technologies Ltd.
- Checkmarx
- Checkmk GmbH
- Cisco Systems, Inc.
- Citrix Systems, Inc.
- Cloudflare, Inc.
- Commvault Systems Inc
- Concrete CMS
- ConnectWise LLC
- Crestron Electronics, Inc.
- CrowdStrike Holdings, Inc.
- CyberArk Labs
- CyberDanube
- Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
- Dahua Technologies
- Danfoss
- Dassault Systèmes
- Delinea, Inc.
- Dell EMC
- Delta Electronics, Inc.
- Digi International Inc.
- Docker Inc.
- dotCMS LLC
- Dragos, Inc.
- Eaton
- Eclipse Foundation
- Elastic
- EnterpriseDB Corporation
- Environmental Systems Research Institute, Inc. (Esri)
- Ericsson
- Erlang Ecosystem Foundation
- ESET, spol. s r.o.
- EU Agency for Cybersecurity (ENISA)
- Extreme Networks, Inc.
- F5 Networks
- Fedora Project (Infrastructure Software)
- Fermax Technologies SLU
- Financial Security Institute (FSI)
- Flexera Software LLC
- floragunn GmbH
- Fluid Attacks
- Fortinet, Inc.
- Fortra, LLC
- Foxit Software Incorporated
- Gallagher Group Ltd
- GE Vernova
- Genetec Inc.
- GitHub (maintainer security advisories)
- GitHub Inc, (Products Only)
- GitLab Inc.
- Glyph & Cog, LLC
- Google Cloud
- Google LLC
- Gridware Cybersecurity
- Hallo Welt! GmbH
- Hanwha Vision Co., Ltd.
- Harborist
- HashiCorp Inc.
- HeroDevs
- HiddenLayer, Inc.
- Hitachi Energy
- Hitachi Vantara
- Hitachi, Ltd.
- Honeywell International Inc.
- Honor Device Co., Ltd.
- HP Inc.
- HYPR Corp
- IBM Corporation
- ICS-CERT
- Indian Computer Emergency Response Team (CERT-In)
- Insyde Software
- Intel Corporation
- Internet Systems Consortium (ISC)
- Israel National Cyber Directorate
- Ivanti
- Jamf
- Jaspersoft
- JetBrains s.r.o.
- JFROG
- Johnson Controls
- JPCERT/CC
- Juniper Networks, Inc.
- Kaspersky
- KNIME AG
- KrCERT/CC
- Kubernetes
- Larry Cashdollar
- Legion of the Bouncy Castle Inc.
- Lenovo Group Ltd.
- Lexmark International Inc.
- LG Electronics
- Liferay, Inc.
- M-Files Corporation
- Maritime Hacking Village
- Mattermost, Inc
- Mautic
- Medtronic
- Microchip Technology
- Microsoft Corporation
- Milestone Systems A/S
- Mitsubishi Electric Corporation
- Monash University - Cyber Security Incident Response Team
- Moxa Inc.
- N-able
- National Cyber Security Centre Finland
- National Instruments
- NEC Corporation
- Neo4j
- NETGEAR
- Netskope
- NLnet Labs
- NortonLifeLock Inc
- Nozomi Networks Inc.
- Nvidia Corporation
- Omnissa, LLC
- OMRON Corporation
- ONEKEY GmbH
- Open Design Alliance
- Open-Xchange
- OpenHarmony
- OpenJS Foundation
- OpenText (formerly Micro Focus)
- OpenVPN Inc.
- OPPO
- Palantir Technologies
- Palo Alto Networks
- Panasonic Holdings Corporation
- PaperCut Software Pty Ltd
- Pegasystems
- PHP Group
- Ping Identity Corporation
- Progress Software Corporation
- Proofpoint Inc.
- Protect AI
- Pure Storage, Inc.
- QNAP Systems, Inc.
- Qualcomm, Inc.
- Qualys, Inc.
- Radiometer Medical ApS
- rami.io GmbH
- Rapid7, Inc.
- Real-Time Innovations, Inc.
- Red Hat CNA-LR
- Red Hat, Inc.
- Ribose Limited
- Robert Bosch GmbH
- Roche Diagnostics
- Rockwell Automation
- S21sec Cyber Solutions by Thales
- SailPoint Technologies
- SAP SE
- Schneider Electric SE
- Seagate Technology
- Security Risk Advisors
- ServiceNow
- SICK AG
- Siemens
- Silicon Labs
- Snyk
- Softing
- SoftIron
- SolarWinds
- Solidigm
- Sonatype Inc.
- Sophos
- StrongDM
- Super Micro Computer, Inc.
- Suse
- Switzerland National Cyber Security Centre (NCSC)
- Symantec - A Division of Broadcom
- Synaptics
- Synology Inc.
- Talos
- Tanium Inc.
- TeamViewer Germany GmbH
- Temporal Technologies Inc.
- Tenable Network Security, Inc.
- Teradyne Robotics
- Thales Group
- The Browser Company of New York
- The Document Foundation
- The Joomla! Project
- The Missing Link Australia (TML)
- The Qt Company
- The Rust Project
- The Tcpdump Group
- The Wikimedia Foundation
- TianoCore.org
- TIBCO Software Inc.
- Toreon
- TP-Link Systems Inc.
- TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
- Trend Micro, Inc.
- TWCERT/CC
- TYPO3 Association
- upKeeper Solutions
- Vaadin Ltd.
- VMware
- VulDB
- VulnCheck
- WatchGuard Technologies, Inc.
- Western Digital
- Wind River Systems Inc.
- Wiz, Inc.
- wolfSSL Inc.
- Wordfence
- WSO2 LLC
- Xerox Corporation
- Yandex N.V.
- Yugabyte, Inc.
- Zabbix
- Zephyr Project
- Zero Day Initiative
- Zohocorp
- Zoom Video Communications, Inc.
- Zscaler, Inc.
- ZTE Corporation
- ZUSO Advanced Research Team (ZUSO ART)
- Zyxel Corporation