ToolSec

📊 Data Study

How Many CVEs Are Published Each Year? The Vulnerability Explosion

· 7 min read · Data as of Full-year 2025

Key findings

  • 2025 set an all-time record: 48,185 CVEs published, a 20.6% jump over 2024 — about 133 new vulnerabilities every single day.
  • Disclosures have grown roughly 7.5× in a decade, from 6,449 in 2016 to 48,185 in 2025.
  • The 2016→2017 jump (6,449 → 14,643) reflects an expansion of the CVE program, not a sudden collapse in software security.
  • The flood is overwhelming the system itself: NIST's NVD enriched ~42,000 CVEs in 2025 yet still fell behind, as submissions rose 263% since 2020.

A decade of CVE growth

A CVE (Common Vulnerabilities and Exposures) is a publicly catalogued software vulnerability. The number published each year is a rough barometer of how much the security world has to keep up with — and that number has exploded. Here are the annual totals as reported by CVE Details:

YearCVEs published
20166,449
201714,643
201816,510
201917,305
202018,323
202120,153
202225,084
202328,818
2024~40,009
202548,185

That's a roughly 7.5× increase in a decade, and the curve is steepening: the jump from 2024 to 2025 alone added more vulnerabilities than were published in all of 2016.

About that 2017 jump

One number deserves a caveat. The leap from 6,449 in 2016 to 14,643 in 2017 looks alarming, but it doesn't mean software suddenly got twice as buggy. It mainly reflects an expansion of the CVE program — more organisations became CVE Numbering Authorities (CNAs) able to assign IDs, and reporting processes matured. A chunk of the growth in these counts is better cataloguing, not just more flaws. That's an important nuance when citing CVE totals: they measure disclosures, not the true universe of vulnerabilities.

Why the explosion?

Several forces compound:

  • More software, more dependencies. Modern apps pull in hundreds of open-source packages, each a potential source of CVEs.
  • More CNAs. Vendors like Microsoft, Google and many others now assign their own CVE IDs, widening the funnel.
  • More researchers and automation. Bug-bounty programs and automated/AI-assisted discovery surface far more issues than manual review ever could.
  • Better hygiene. Some of the rise is healthy — issues that once went silently unpatched are now disclosed and tracked.

The defender's real problem

At roughly 133 new CVEs a day, no team can patch everything the moment it lands. The takeaway isn't "patch faster" — it's prioritise smarter. A small fraction of CVEs are ever exploited in the wild, so mature teams triage by exploitability and exposure (for example using CISA's Known Exploited Vulnerabilities catalog and severity scoring) rather than chasing every ID. Quantifying which fixes reduce the most risk is exactly the kind of decision our security ROI calculator helps with, and the stakes are why unpatched systems are a leading cause of data breaches and ransomware.

The system is straining too

The volume is overwhelming even the infrastructure that tracks it. NIST's National Vulnerability Database — which enriches CVEs with severity scores and metadata — enriched nearly 42,000 CVEs in 2025 (45% more than any prior year) yet still couldn't keep pace with submissions, which rose 263% between 2020 and 2025. In April 2026 NIST announced changes to NVD operations specifically to address the record growth. When the official catalog is struggling to keep up, defenders feel it downstream.

The bottom line

The cumulative CVE tally passed 300,000 in 2025, and annual volume shows no sign of slowing. "Patch everything" was never realistic and is now plainly impossible. The organisations that cope are the ones that prioritise by real-world risk, automate triage, and invest where it reduces the most exposure — not the ones that try to chase 133 new vulnerabilities a day.

Methodology

This study compiles publicly reported CVE counts from third-party trackers — it is not our own enumeration. Annual totals (2016–2025) are as reported by CVE Details; the 2025 record figure, daily rate, growth percentages and NVD enrichment numbers come from the sources listed below.

  • Counts reflect CVEs published in a given year and can be revised slightly as records are added or amended. Figures for 2024 vary marginally between sources (around 39,900–40,000); we show ~40,009.
  • CVE totals measure disclosures, not the true number of vulnerabilities in existence — changes in the CVE program (e.g. more CNAs) affect the counts, as the 2017 jump shows.

Data retrieved June 2026.

Sources & notes

Frequently asked questions

How many CVEs were published in 2025?

A record 48,185 CVEs were published in 2025 — about a 20.6% increase over 2024 and roughly 133 new vulnerabilities per day, according to CVE trackers and NVD data.

Why has the number of CVEs grown so fast?

A mix of more software and dependencies, more organisations assigning CVE IDs (CNAs), more researchers and automated discovery, and better disclosure practices. Some growth is also better cataloguing rather than more flaws.

Can security teams patch every CVE?

No — at ~133 new CVEs a day it's impossible. Only a small fraction are ever exploited, so effective teams prioritise by exploitability and exposure (e.g. CISA's KEV catalog) instead of chasing every vulnerability.

Related tools

Related guides