CVE Statistics by Vendor (2026)
This page tracks how many CVEs each major vendor has accumulated in 2026, broken down by severity, active exploitation, and average CVSS score. Data is pulled directly from our CVE Watchtower database and refreshes automatically as new vulnerabilities are published. Use it to benchmark vendor risk, prioritize your patch queue, or cite in security reports.
Last updated: July 11, 2026 · CVE-2026-* identifiers tracked by CVE Watchtower
| # | Vendor | Share | CVEs | Critical | High | Exploited | Avg CVSS |
|---|---|---|---|---|---|---|---|
| 1 | WordPress ecosystem | 3964 | 334 | 1377 | 0 | 6.6 | |
| 2 | Linux kernel | 2313 | 114 | 875 | 1 | 6.7 | |
| 3 | 1910 | 170 | 854 | 5 | 7.1 | ||
| 4 | Microsoft | 1475 | 120 | 812 | 18 | 7.3 | |
| 5 | Oracle | 557 | 149 | 184 | 1 | 7.5 | |
| 6 | Apple | 399 | 12 | 145 | 2 | 6.5 | |
| 7 | Mozilla | 266 | 92 | 111 | 0 | 8.0 | |
| 8 | Adobe | 210 | 21 | 59 | 2 | 6.5 | |
| 9 | D-Link | 184 | 10 | 100 | 0 | 7.1 | |
| 10 | Cisco | 175 | 13 | 51 | 10 | 6.6 | |
| 11 | IBM | 144 | 24 | 55 | 0 | 7.0 | |
| 12 | Samsung | 135 | 0 | 21 | 0 | 6.3 | |
| 13 | GitLab | 118 | 1 | 31 | 0 | 5.7 | |
| 14 | SAP | 94 | 13 | 10 | 0 | 6.0 | |
| 15 | Juniper | 66 | 3 | 28 | 0 | 6.9 | |
| 16 | Palo Alto Networks | 58 | 0 | 0 | 2 | 4.8 | |
| 17 | Fortinet | 46 | 8 | 11 | 4 | 6.5 | |
| 18 | Atlassian | 26 | 3 | 9 | 0 | 7.2 | |
| 19 | Ivanti | 24 | 5 | 14 | 5 | 7.9 | |
| 20 | Progress | 17 | 1 | 4 | 0 | 6.0 |
July 2026 update. WordPress leads this month’s count with 3950 new CVEs, 334 of which are rated Critical. Microsoft saw the sharpest rise in actively exploited vulnerabilities, with 18 confirmed KEV additions since June.
Frequently Asked Questions
Why does WordPress top the vendor list with nearly 4,000 CVEs?
WordPress itself is secure. The count reflects the entire WordPress ecosystem — thousands of third-party plugins and themes, many of which are maintained by small teams with limited security resources. A single popular plugin can account for hundreds of CVEs in a year. This is why keeping plugins updated is often more critical than patching the WordPress core.
Microsoft has 18 exploited CVEs — why is that more alarming than WordPress’s 3,950 total?
Total CVE count and active exploitation are two very different signals. WordPress has 3,950 CVEs but zero confirmed exploitations in our dataset, meaning attackers are not actively weaponizing them at scale. Microsoft has far fewer CVEs overall, but 18 are confirmed under active attack — making them a higher operational priority for most defenders.
What does the “Exploited” column mean?
It shows how many of a vendor’s 2026 CVEs have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning real-world attackers are confirmed to be abusing them. Google has 5, Microsoft has 18, and Apple has 2. These are the CVEs that should jump to the top of any patch queue.
Why does Linux kernel rank second with 2,313 CVEs?
The Linux kernel underpins billions of devices worldwide, from servers to smartphones. Its codebase is enormous and open — meaning thousands of researchers audit it continuously. High CVE volume here reflects transparency and active research, not negligence. Notably, only 1 Linux kernel CVE reached confirmed exploitation in this dataset.
Mozilla has an average CVSS of 8.0 — the highest in the top 10. Should I be concerned?
Mozilla’s high average CVSS reflects the nature of browser vulnerabilities, which often score high because they are remotely exploitable. However, Mozilla also has zero confirmed exploitations in this dataset, and Firefox ships patches rapidly. The combination of high severity but low exploitation confirms that fast patching cycles matter as much as the raw score.
How is vendor attribution determined for the WordPress ecosystem?
CVEs are matched against security advisory domains such as wpscan.com, patchstack.com, and wordfence.com, with plugin and theme keywords as a fallback. Each CVE is assigned to one primary vendor. This means a vulnerability in a specific plugin (for example, Elementor or WooCommerce) is grouped under “WordPress ecosystem” rather than the plugin developer.
Can I use this data in a report or presentation?
Yes. The data is free to reference. Please credit Daily CyberSecurity and link back to this page so your readers see the most current figures rather than a static snapshot. For quarterly breakdowns and trend analysis, see our State of Exploited Vulnerabilities report.
Microsoft leads confirmed exploitations with 18 active CVEs in 2026. See which specific vulnerabilities are being weaponized right now, ranked by real-world exploitation probability.