RSS

Interactive explorer for cybersecurity vulnerability trends

cubefox1 pts0 comments

Cyber Vulnerabilities | Epoch AI

Updated Jun. 5, 2026

Cyber Vulnerabilities

Our interactive explorer for cybersecurity vulnerability trends, built on Common Vulnerabilities and Exposures (CVE) reported to cve.org since 2022.

Download this data

Graph

Table

Settings

Sources

Notable<br>All

Reporting organization<br>AllAllAWSApacheAppleCiscoGoogleLinuxMicrosoftMozillaNVIDIAOracleRed HatAdobeIBMIntelAMDQualcommSamsungSAPVMwareGitHubOpenSSL

All

AWS

Apache

Apple

Cisco

Google

Linux

Microsoft

Mozilla

NVIDIA

Oracle

Red Hat

Adobe

IBM

Intel

AMD

Qualcomm

Samsung

SAP

VMware

GitHub

OpenSSL

Display

Color by<br>None<br>Severity

Severity levels

Critical

High

Medium

Low

Unknown

Milestones

Show Claude Mythos Preview announcement

Show more release milestones

Additional settings

Time period<br>Weekly<br>Monthly<br>Quarterly

Show partial month

Index to 2024 average

Show trend line

Apply

More about this dataset

Documentation<br>Downloads<br>Citations

Documentation<br>Data : CVE records come from the CVE Program’s cvelistV5 repository. We process every published record from 2020 onward. The dates visualized on our explorer represent vulnerability publication dates, not discovery dates.

Severity : CVE severities are based on the Common Vulnerability Scoring System (CVSS). CVSS assigns a score between 0 and 10, according to factors like the attack complexity, required privileges, the scope of the vulnerability, and more. These numeric scores are then assigned to severity categories as follows:

None: 0.0

Low: 0.1 - 3.9

Medium: 4.0 - 6.9

High: 7.0 - 8.9

Critical: 9.0 - 10.0

We default to using a CNA’s own assessment first, and fill in gaps with assessments from third parties (known as Authorized Data Publishers, or ADPs). If multiple CVSS versions are given, we default to v4.0, with fallback to v3.1, then v3.0. Records without one of these CVSS scores are counted as “Unknown.”

Reporting organizations (CNAs) : Every CVE record is assigned by a CNA (CVE Numbering Authority) — typically the vendor of the affected product or a third-party security research organization. We count CVEs across all CNAs, but to keep the underlying data manageable we only break down individual counts for notable CNAs, with non-notable CNAs grouped into an “Other” category.

We consider a CNA notable if it is a vendor of widely-deployed software or hardware, or a major open-source project or foundation, and it maintains an active CVE program (we require at least 50 CVEs published since 2020). We include the following organizations in our list of notable CNAs:

Major vendors (17): Microsoft · Google · Apple · Adobe · Oracle · Cisco · IBM · Red Hat · Intel · AMD · NVIDIA · Qualcomm · Samsung · SAP · Amazon (AWS) · VMware (Broadcom) · GitHub (own products)

Open source (4): Linux · Mozilla · Apache · OpenSSL

Reporting practices vary substantially across organizations, creating noise. For instance, Linux became a CNA in February 2024 and subsequently began assigning CVEs for thousands of backported bug fixes, leading to a high number of reports in 2024 and 2025.

Individual records : Alongside the aggregates, we surface individual High and Critical severity CVEs from notable CNAs, each linking back to its official CVE record. See the “Table” view in the explorer above, or download our data at the link below.

Our explorer visualizes the announcement date of Claude Mythos Preview (April 7, 2026), which coincided with a large jump in the number of new vulnerability reports. Anthropic claimed that Claude Mythos was capable of autonomous vulnerability discovery, and gave trusted partners access to the model in order to harden their software. Mythos Preview was used to find bugs in software before the April 7th announcement, which may have contributed to an increased number of reports in the month before the announcement. As of May 22nd, Anthropic claimed that Mythos Preview had been used to identify more than ten thousand high- or critical-severity bugs (not all of which had been publicly reported). Additionally, OpenAI has claimed that GPT-5.5 (released April 23) and GPT-5.5-cyber (May 7) are also capable of advanced cybersecurity tasks, and launched a similar trusted-partner program on May 7th, 2026.

Downloads<br>Cyber Vulnerabilities Data<br>LINK, Unknown date

Citations<br>Epoch AI’s data is free to use, distribute, and reproduce provided the source and authors are credited under the Creative Commons Attribution license.

Citation<br>Epoch AI, 'Data on Cyber Vulnerabilities'. Published online at epoch.ai. Retrieved from 'https://epoch.ai/data/cve' [online resource]. Accessed 6 Jun 2026.

BibTeX Citation<br>@misc{EpochAICVEs2026,<br>title = {{Data on Cyber Vulnerabilities}},<br>author = {{Epoch AI}},<br>year = {2026},<br>month = {6},<br>url = {https://epoch.ai/data/cve},<br>note = {Accessed: 6 Jun 2026}

Feedback<br>Feedback

Have a question? Noticed something wrong? Let us know.<br>Message

If you would like a reply, please include your name and email address.<br>Name

Email...

data vulnerability epoch cyber vulnerabilities notable

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.