Critical Alert 2 Active Exploits Detected Today

CVE-2026-56291 Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability →
CVE-2026-48939 iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability →
Powered by CVE Watchtower
×

CVE Statistics by Vendor 2026 — Vulnerability Counts & Trends

CVE Statistics by Vendor (2026)

This page tracks how many CVEs each major vendor has accumulated in 2026, broken down by severity, active exploitation, and average CVSS score. Data is pulled directly from our CVE Watchtower database and refreshes automatically as new vulnerabilities are published. Use it to benchmark vendor risk, prioritize your patch queue, or cite in security reports.

Last updated: July 11, 2026 · CVE-2026-* identifiers tracked by CVE Watchtower

#VendorShareCVEsCriticalHighExploitedAvg CVSS
1 WordPress ecosystem
3964 334 1377 0 6.6
2 Linux kernel
2313 114 875 1 6.7
3 Google
1910 170 854 5 7.1
4 Microsoft
1475 120 812 18 7.3
5 Oracle
557 149 184 1 7.5
6 Apple
399 12 145 2 6.5
7 Mozilla
266 92 111 0 8.0
8 Adobe
210 21 59 2 6.5
9 D-Link
184 10 100 0 7.1
10 Cisco
175 13 51 10 6.6
11 IBM
144 24 55 0 7.0
12 Samsung
135 0 21 0 6.3
13 GitLab
118 1 31 0 5.7
14 SAP
94 13 10 0 6.0
15 Juniper
66 3 28 0 6.9
16 Palo Alto Networks
58 0 0 2 4.8
17 Fortinet
46 8 11 4 6.5
18 Atlassian
26 3 9 0 7.2
19 Ivanti
24 5 14 5 7.9
20 Progress
17 1 4 0 6.0
Methodology. A high CVE count does not mean a vendor is less secure. Large vendors with mature disclosure programs report more vulnerabilities. Vendor attribution matches each CVE's references against official vendor advisory domains first (e.g. Cisco PSIRT, MSRC), falling back to description keywords; one primary vendor is counted per CVE, and only CVEs tracked in our Watchtower database are included. Figures update automatically as new CVE-2026 identifiers are ingested.

July 2026 update. WordPress leads this month’s count with 3950 new CVEs, 334 of which are rated Critical. Microsoft saw the sharpest rise in actively exploited vulnerabilities, with 18 confirmed KEV additions since June.

Frequently Asked Questions

Why does WordPress top the vendor list with nearly 4,000 CVEs?

WordPress itself is secure. The count reflects the entire WordPress ecosystem — thousands of third-party plugins and themes, many of which are maintained by small teams with limited security resources. A single popular plugin can account for hundreds of CVEs in a year. This is why keeping plugins updated is often more critical than patching the WordPress core.

Microsoft has 18 exploited CVEs — why is that more alarming than WordPress’s 3,950 total?

Total CVE count and active exploitation are two very different signals. WordPress has 3,950 CVEs but zero confirmed exploitations in our dataset, meaning attackers are not actively weaponizing them at scale. Microsoft has far fewer CVEs overall, but 18 are confirmed under active attack — making them a higher operational priority for most defenders.

What does the “Exploited” column mean?

It shows how many of a vendor’s 2026 CVEs have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning real-world attackers are confirmed to be abusing them. Google has 5, Microsoft has 18, and Apple has 2. These are the CVEs that should jump to the top of any patch queue.

Why does Linux kernel rank second with 2,313 CVEs?

The Linux kernel underpins billions of devices worldwide, from servers to smartphones. Its codebase is enormous and open — meaning thousands of researchers audit it continuously. High CVE volume here reflects transparency and active research, not negligence. Notably, only 1 Linux kernel CVE reached confirmed exploitation in this dataset.

Mozilla has an average CVSS of 8.0 — the highest in the top 10. Should I be concerned?

Mozilla’s high average CVSS reflects the nature of browser vulnerabilities, which often score high because they are remotely exploitable. However, Mozilla also has zero confirmed exploitations in this dataset, and Firefox ships patches rapidly. The combination of high severity but low exploitation confirms that fast patching cycles matter as much as the raw score.

How is vendor attribution determined for the WordPress ecosystem?

CVEs are matched against security advisory domains such as wpscan.com, patchstack.com, and wordfence.com, with plugin and theme keywords as a fallback. Each CVE is assigned to one primary vendor. This means a vulnerability in a specific plugin (for example, Elementor or WooCommerce) is grouped under “WordPress ecosystem” rather than the plugin developer.

Can I use this data in a report or presentation?

Yes. The data is free to reference. Please credit Daily CyberSecurity and link back to this page so your readers see the most current figures rather than a static snapshot. For quarterly breakdowns and trend analysis, see our State of Exploited Vulnerabilities report.

Microsoft leads confirmed exploitations with 18 active CVEs in 2026. See which specific vulnerabilities are being weaponized right now, ranked by real-world exploitation probability.

Track actively exploited CVEs this month →