CVE Intelligence Statistics

Last updated: December 23, 2025 at 20:01 UTC

322,104

CVEs Analyzed

811

Critical Gaps

302

Avg Days to Patch

0.6%

Detection Coverage

As of December 23, 2025 at 20:01 UTC, wtfisthiscve has analyzed 322,104 CVEs and generated 16,696 plain English explanations. We've identified 811 Critical Gap vulnerabilities—CVEs with known exploits but no public detection rules available. The average time for vendors to release patches is 302 days. 0.6% of CVEs have detection coverage from major open-source security tools.

Severity Distribution

Of the 322,104 CVEs analyzed: 28,239 (8.8%) are CRITICAL severity, 118,003 (36.6%) are HIGH severity, 142,585 (44.3%) are MEDIUM severity, and 13,327 (4.1%) are LOW severity.

CRITICAL28,239
8.8%
HIGH118,003
36.6%
MEDIUM142,585
44.3%
LOW13,327
4.1%

Risk Level Breakdown

Risk assessment based on exploit availability and detection coverage shows: 811 (3.9%) are CRITICAL_GAP (exploits exist but no detection available), 610 (2.9%) are HIGH risk (exploits and detection both available), 1,710 (8.1%) are MEDIUM risk (detection available, no known exploits), and 17,905 (85.1%) are LOW risk (no known exploits or detection).

CRITICAL_GAP811
3.9%
HIGH610
2.9%
MEDIUM1,710
8.1%
LOW17,905
85.1%

Patch Availability

Patch availability status: 935 (6.1%) have official patches available, 62 (0.4%) have partial fixes, 85 (0.6%) have documented workarounds only, and 14,202 (92.9%) have no remediation available.

Patched935
6.1%
Partial Fix62
0.4%
Workaround85
0.6%
No Patch14,202
92.9%

Detection Tool Coverage

Detection tool coverage across CVEs: 1,874 (0.6%) have at least one detection method available. OSV.dev covers 1,765 (0.5%), Nuclei templates exist for 137 (0.0%), Sigma rules cover 0 (0.0%), Snort/Suricata rules cover 6 (0.0%), YARA rules cover 0 (0.0%), and Semgrep rules cover 0 (0.0%).

ToolCVEsCoverage
OSV.dev 1,765 0.5%
Nuclei Templates 137 0.0%
Sigma Rules 0 0.0%
Snort/Suricata 6 0.0%
YARA Rules 0 0.0%
Semgrep 0 0.0%

Top Vendors by CVE Count

Top vendors by CVE count: aEnrich (1,551 CVEs, Grade N/A), Apache (949 CVEs, Grade N/A), Unknown (874 CVEs, Grade N/A), WordPress.org (614 CVEs, Grade N/A), GNU Project (482 CVEs, Grade N/A).

VendorCVEsAvg DaysGrade
aEnrich 1,551 N/A N/A
Apache 949 N/A N/A
Unknown 874 N/A N/A
WordPress.org 614 N/A N/A
GNU Project 482 N/A N/A
Microsoft 442 335 F
IBM 302 N/A N/A
Linux 298 N/A N/A
Not specified 258 N/A N/A
unknown 227 N/A N/A

Monthly Publication Trends

CVE publication trends: Dec 2025 saw 2,470 new CVEs.

MonthCVEsChange
Jan 2025 4,415
Feb 2025 3,831 ↓ -13.2%
Mar 2025 4,166 ↑ +8.7%
Apr 2025 4,142 → -0.6%
May 2025 4,264 → +2.9%
Jun 2025 3,799 ↓ -10.9%
Jul 2025 3,933 → +3.5%
Aug 2025 3,737 → -5.0%
Sep 2025 4,537 ↑ +21.4%
Oct 2025 4,389 → -3.3%
Nov 2025 3,116 ↓ -29.0%
Dec 2025 2,470 ↓ -20.7%

EPSS Score Distribution

EPSS data is being compiled.

0-10%0
0%
10-30%0
0%
30-50%0
0%
>50%0
0%

Critical Gap Spotlight

These CVEs have known exploits but no public detection rules available. They represent the highest priority blind spots for security teams.

  • CVE-1999-0095 HIGH - Sendmail Debug Command Vulnerability (13590 days unpatched)
  • CVE-1999-0113 HIGH - Rlogin Root Access Bypass (11530 days unpatched)
  • CVE-1999-0235 HIGH - NCSA WebServer Buffer Overflow (11260 days unpatched)
  • CVE-1999-0208 HIGH - NIS RPC Vulnerability (10962 days unpatched)
  • CVE-1999-0233 HIGH - IIS 1.0 Shellcode Vulnerability (10887 days unpatched)
  • CVE-1999-0101 HIGH - CVE-1999-0101 (10598 days unpatched)
  • CVE-1999-0204 HIGH - Sendmail Vulnerability (10576 days unpatched)
  • CVE-1999-0046 HIGH - Buffer Overflow in rlogin Program (10538 days unpatched)
  • CVE-1999-0042 HIGH - Old IMAP/POP Server Vulnerability (10478 days unpatched)
  • CVE-1999-0238 HIGH - php.cgi Vulnerability (10364 days unpatched)
  • CVE-1999-0182 HIGH - Samba Buffer Overflow (10304 days unpatched)
  • CVE-1999-0192 HIGH - Buffer Overflow in Telnet Daemon tgetent Routing (10286 days unpatched)
  • CVE-1999-0003 HIGH - SGI Tooltalk Buffer Overflow Vulnerability (10119 days unpatched)
  • CVE-1999-0009 HIGH - Inverse Query Buffer Overflow in BIND 4.9 and BIND 8 Releases (10112 days unpatched)
  • CVE-1999-1479 HIGH - Textcounter Vulnerability (10039 days unpatched)
  • CVE-1999-0005 HIGH - IMAP Buffer Overflow (10009 days unpatched)
  • CVE-1999-0002 HIGH - CVE-1999-0002 (9925 days unpatched)
  • CVE-1999-0836 HIGH - UnixWare uidadmin Vulnerability (9877 days unpatched)
  • CVE-1999-0661 HIGH - TCP Wrappers Trojan Horse (9847 days unpatched)
  • CVE-1999-0268 HIGH - MetaInfo MetaWeb Vulnerability (9846 days unpatched)
  • CVE-1999-0283 HIGH - Java Web Server Vulnerability (9846 days unpatched)
  • CVE-1999-0368 HIGH - Palmetto (9807 days unpatched)
  • CVE-1999-1405 HIGH - AIX Snap Vulnerability (9801 days unpatched)
  • CVE-1999-1046 HIGH - CVE-1999-1046 (9788 days unpatched)
  • CVE-1999-0492 HIGH - ffingerd Vulnerability (9735 days unpatched)
  • CVE-1999-1553 HIGH - XCmail Overflow (9728 days unpatched)
  • CVE-1999-0765 HIGH - sgi-midikeys-rogue-keyboard (9709 days unpatched)
  • CVE-1999-0920 HIGH - CVE-1999-0920 (9702 days unpatched)
  • CVE-1999-1063 HIGH - CVE-1999-1063 (9696 days unpatched)
  • CVE-1999-0730 HIGH - Debian Man-DB Symlink Attack (9685 days unpatched)
  • CVE-1999-0874 HIGH - IIS 4.0 Denial of Service Vulnerability (9681 days unpatched)
  • CVE-1999-0696 HIGH - CDE Calendar Manager Service Daemon Buffer Overflow (9666 days unpatched)
  • CVE-1999-1011 HIGH - MDAC Remote Data Service Vulnerability (9648 days unpatched)
  • CVE-1999-0913 HIGH - Dragon-Fire IDS Vulnerability (9631 days unpatched)
  • CVE-1999-0745 HIGH - pdnsd Buffer Overflow (9618 days unpatched)
  • CVE-1999-0911 HIGH - ProFTPD Buffer Overflow (9609 days unpatched)
  • CVE-1999-0926 HIGH - Apache HTTP/2 Denial of Service Vulnerability (9602 days unpatched)
  • CVE-1999-0702 HIGH - Internet Explorer 5.0/5.01 ImportExportFavorites Vulnerability (9595 days unpatched)
  • CVE-1999-1521 HIGH - Computalynx SMTP Server Vulnerability (9594 days unpatched)
  • CVE-1999-0759 HIGH - CVE-1999-0759 (9592 days unpatched)
  • CVE-1999-0953 HIGH - WWWBoard Password File Vulnerability (9589 days unpatched)
  • CVE-1999-0789 HIGH - AIX ftpd Buffer Overflow (9577 days unpatched)
  • CVE-1999-0879 HIGH - WU-FTPD Buffer Overflow (9574 days unpatched)
  • CVE-1999-0791 HIGH - HSMP Protocol Vulnerability (9569 days unpatched)
  • CVE-1999-0943 HIGH - Buffer Overflow in OpenLink 3.2 (9560 days unpatched)
  • CVE-1999-0951 HIGH - Buffer Overflow in OmniHTTPd CGI Program (9553 days unpatched)
  • CVE-1999-0944 HIGH - ikeyman vulnerability (9551 days unpatched)
  • CVE-1999-0950 HIGH - WFTPD FTP Server Buffer Overflow (9547 days unpatched)
  • CVE-1999-0896 HIGH - Buffer Overflow in RealNetworks RealServer Administration Utility (9540 days unpatched)
  • CVE-1999-1190 HIGH - Admiral EmailClub Buffer Overflow (9530 days unpatched)

View all Critical Gaps →

Package Ecosystem Distribution

Package ecosystem distribution: maven (1,124, 68.3%), pypi (253, 15.4%), npm (105, 6.4%), go (89, 5.4%), nuget (39, 2.4%).

EcosystemCVEsShare
maven 1,124 68.3%
pypi 253 15.4%
npm 105 6.4%
go 89 5.4%
nuget 39 2.4%
cargo 36 2.2%

API Access

All statistics are available via our JSON API at /api/stats. Data updates hourly.