CVE Severity Trends 2020–2026 — How Vulnerability Scores Are Changing
Analysis of CVE severity distribution over 7 years showing how vulnerability counts, severity ratings, and attack categories are evolving. Data sourced from NVD, MITRE, and CISA databases.
Methodology
CVE data is sourced from the NIST National Vulnerability Database (NVD) and MITRE CVE catalog. Severity classifications use CVSS v3.1 base scores: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9). Year 2026 figures are projected based on Q1 data (January-March). Category classifications follow CWE (Common Weakness Enumeration) taxonomy. Security Stack Exchange data fetched via public API on April 11, 2026. CVSS v4.0 comparisons are noted where applicable.
CVE Severity Distribution by Year
| Year | Total CVEs | Critical | High | Medium | Low | % Critical | YoY Growth |
|---|---|---|---|---|---|---|---|
| 2020 | 18,325 | 2,419 | 7,148 | 7,425 | 1,333 | 13.2% | — |
| 2021 | 20,141 | 2,837 | 7,954 | 8,026 | 1,324 | 14.1% | +9.9% |
| 2022 | 25,059 | 3,709 | 10,024 | 9,764 | 1,562 | 14.8% | +24.4% |
| 2023 | 28,902 | 4,481 | 11,561 | 11,117 | 1,743 | 15.5% | +15.3% |
| 2024 | 34,888 | 5,582 | 14,304 | 13,084 | 1,918 | 16.0% | +20.7% |
| 2025 | 38,752 | 6,510 | 15,888 | 14,287 | 2,067 | 16.8% | +11.1% |
| 2026* | ~42,000 | ~7,140 | ~17,220 | ~15,540 | ~2,100 | ~17.0% | +8.4% |
* 2026 figures are projected based on Q1 2026 data (January-March).
Top Vulnerability Categories (2025-2026)
| Rank | CWE ID | Category | % of CVEs | Trend | Typical CVSS |
|---|---|---|---|---|---|
| 1 | CWE-79 | Cross-Site Scripting (XSS) | 12.1% | Stable | 4.3-6.1 |
| 2 | CWE-89 | SQL Injection | 8.7% | Declining | 7.5-9.8 |
| 3 | CWE-787 | Out-of-Bounds Write | 7.3% | Stable | 7.8-9.8 |
| 4 | CWE-862 | Missing Authorization | 6.8% | Rising | 5.3-8.8 |
| 5 | CWE-416 | Use After Free | 5.4% | Stable | 7.8-8.8 |
| 6 | CWE-22 | Path Traversal | 5.1% | Stable | 5.3-7.5 |
| 7 | CWE-125 | Out-of-Bounds Read | 4.8% | Declining | 5.5-7.1 |
| 8 | CWE-20 | Improper Input Validation | 4.5% | Stable | 5.3-9.8 |
| 9 | CWE-352 | Cross-Site Request Forgery | 3.9% | Declining | 4.3-8.0 |
| 10 | CWE-918 | Server-Side Request Forgery | 3.2% | Rising | 5.3-9.1 |
| 11 | NEW | AI/ML Prompt Injection | 1.4% | Rising | 6.5-9.1 |
| 12 | NEW | Supply Chain / Dependency Confusion | 2.8% | Rising | 7.5-9.8 |
CVSS Scoring Examples
| CVE ID | Name | CVSS v3.1 | CVSS v4.0 | Year | Category |
|---|---|---|---|---|---|
| CVE-2021-44228 | Log4Shell | 10.0 | 10.0 | 2021 | Remote Code Execution |
| CVE-2023-44487 | HTTP/2 Rapid Reset | 7.5 | 8.2 | 2023 | Denial of Service |
| CVE-2024-3094 | XZ Utils Backdoor | 10.0 | 10.0 | 2024 | Supply Chain |
| CVE-2023-23397 | Outlook Privilege Escalation | 9.8 | 9.4 | 2023 | Privilege Escalation |
| CVE-2024-21762 | FortiOS Out-of-Bounds Write | 9.8 | 9.3 | 2024 | RCE |
| CVE-2023-4966 | Citrix Bleed | 9.4 | 8.7 | 2023 | Information Disclosure |
| CVE-2024-47575 | FortiManager Missing Auth | 9.8 | 9.3 | 2024 | Missing Authentication |
| CVE-2025-0282 | Ivanti Connect Secure RCE | 9.0 | 8.8 | 2025 | Stack Overflow |
Frequently Asked Questions
How many CVEs are published per year?
CVE publication has grown dramatically: from approximately 18,325 in 2020 to over 40,000 projected for 2026. The year 2024 saw 34,888 CVEs published, a 38% increase over 2023. This growth reflects both expanding attack surfaces (cloud, IoT, AI) and improved vulnerability discovery processes, not necessarily that software is getting less secure.
What is the difference between CVSS v3.1 and CVSS v4.0?
CVSS v4.0, released in November 2023, adds granularity with new metrics: Attack Requirements (AT), Automatable (AU), and Value Density. It separates Base, Threat, and Environmental scores more clearly. CVSS v4.0 tends to produce slightly different severity distributions than v3.1, generally reducing inflation of Critical scores by adding more nuanced context.
Why are Critical CVEs increasing as a percentage?
Critical CVEs have grown from 13.2% of total in 2020 to approximately 16.8% in 2025. Contributing factors include: increased complexity of supply chain attacks, more AI/ML system vulnerabilities classified as Critical due to data exposure risks, growing attack surface from cloud-native infrastructure, and scorer bias toward higher ratings to ensure organizational attention.
What are the most common CVE categories in 2025-2026?
The top CVE categories for 2025-2026 are: Cross-Site Scripting (CWE-79) at 12.1%, SQL Injection (CWE-89) at 8.7%, Out-of-Bounds Write (CWE-787) at 7.3%, Missing Authorization (CWE-862) at 6.8%, and Use After Free (CWE-416) at 5.4%. AI-specific categories including Prompt Injection and Supply Chain attacks are the fastest-growing new categories.
How do I prioritize CVE remediation?
Do not rely solely on CVSS scores. Use EPSS (Exploit Prediction Scoring System) to assess exploitation probability. Combine CVSS severity with EPSS probability and CISA KEV (Known Exploited Vulnerabilities) catalog status. A Medium-severity CVE with high EPSS and active exploitation is more urgent than a Critical CVE with no known exploits. Contextual factors like asset exposure, data sensitivity, and compensating controls also matter.