month report
December 2016
Data as of Jun 4, 2026, 13:25 UTCSnapshot v1 Sources NVD+CISA KEV+EPSS+Nuclei templates Methodology →
December 2016 closed with 527 published CVEs — -7.1% YoY . 60 criticals, phpmyadmin led volume, mostly via phpmyadmin. Biggest breakout: vmware at ×21.0 their 12-month median. Top weakness class — CWE-119 (67 CVE). 10 vendors cracked the top-100 for the first time.
Total CVEs
527
— MoM-7.1% YoY
Severity mix
60 / 214
critical / high
KEV added
0
0 ransomware-linked
Nuclei coverage
0.6%
3 CVEs with templates
Time to exploit
How fast the community ships detection after a CVE drops.
Days → Nuclei (median)
3369.1
n=3
Within 7 days
0.0%
Within 30 days
0.0%
Days → KEV (median)
1918
n=4
Detection gap
KEV pressure, no Nuclei coverage
December 2016 · vendors with active exploitation listed by CISA but no public detection template.
- KEV 1microsoft41 CVE
- KEV 1adobe30 CVE
- KEV 1adobe systems inc.19 CVE
- KEV 1microsoft corp10 CVE
Weakness × Vendor
What's spreading where in December 2016
Cells shaded by share of vendor's hottest weakness. Click any cell to open the CWE history.
119Memory Buffer Bounds79XSS200Information Exposure20Improper Input Validation264CWE-264125Out-of-bounds Read476NULL Pointer Dereference284CWE-284787Out-of-bounds Write416Use After Freephpmyadmin51161qemu1312322microsoft1236236debian1211321cisco14375tats16112adobe36387packagist343open-xchange153google22352134vmware51232adobe systems inc.287
Breakout vendors
CVE count ≥3× their own 12-period median.
- 21.0×vmware21 CVE
- 12.0×phpmyadmin48 CVE
- 11.5×qemu46 CVE
- 10.0×fabrice bellard10 CVE
- 5.0×nvidia15 CVE
- 4.0×intel4 CVE
- 3.7×packagist26 CVE
- 3.7×ffmpeg11 CVE
- 3.0×siemens6 CVE
- 3.0×s9y3 CVE
First time in top-100
Vendors never in top-100 in the prior 24 periods.
- #6tats31 CVE
- #16nvidia corporation15 CVE
- #24imagemagick10 CVE
- #27bluez9 CVE
- #30joyent6 CVE
- #31pivotal software6 CVE
- #41bmc3 CVE
- #49samsung electronics3 CVE
- #50spip3 CVE
- #56libvncserver project2 CVE
Top vendors
Ranked by distinct CVE count this period.
- 48 CVE5 critCVSS 6.7×12.0phpmyadmin (48)
- 46 CVECVSS 5.6×11.5qemu (46)
- 41 CVE1 critCVSS 7.3KEV 1PoC 5edge (11) · windows 10 (10) · windows server 2016 (10)
- 38 CVE2 critCVSS 6.0debian linux (38)
- 33 CVE1 critCVSS 7.0PoC 1web security appliance (3) · email security appliance (3) · ios (3)
- 31 CVECVSS 7.0NEWw3m (31)
- 30 CVE3 critCVSS 8.3KEV 1PoC 1flash player (17) · flash player desktop runtime (17) · experience manager (5)
- 26 CVE6 critCVSS 7.1×3.7KEV 1Nuclei 1PoC 4phpmyadmin/phpmyadmin (22) · phpmailer/phpmailer (2) · swiftmailer/swiftmailer (1)
- 24 CVECVSS 5.9PoC 10open-xchange appsuite (19) · ox guard (5)
- 22 CVECVSS 6.5chrome (13) · android (9)
- 21 CVE3 critCVSS 7.6×21.0PoC 2workstation player (7) · workstation pro (7) · tools (3)
- 19 CVE2 critCVSS 8.9KEV 1flash player for linux (17) · flash player (17) · indesign server (1)
- 19 CVECVSS 7.1PoC 2linux kernel (19)
- 18 CVE11 critCVSS 8.9PoC 1fedora (18)
- 15 CVECVSS 7.4×5.0gpu driver (14) · geforce experience (1)
- 15 CVECVSS 7.4NEWquadro, nvs, geforce, grid and tesla (8) · windows gpu display driver (6) · geforce experience (1)
- 13 CVE5 critCVSS 8.2PoC 4solaris (10) · mysql (3)
- 13 CVE9 critCVSS 9.1libxi (2) · libx11 (2) · libxrandr (2)
- 12 CVE1 critCVSS 6.2leap (12) · opensuse (2)
- 11 CVECVSS 6.1×3.7ffmpeg (11)
- 11 CVE1 critCVSS 7.1powerkvm (3) · filenet workplace (2) · connections (1)
- 11 CVE1 critCVSS 6.5virtualization (7) · openstack (6) · enterprise linux (2)
- 10 CVECVSS 6.2×10.0qemu (10)
- 10 CVE6 critCVSS 9.0NEWPoC 1imagemagick (10)
- 10 CVE1 critCVSS 7.1KEV 1PoC 1internet explorer (6) · microsoft edge (5) · microsoft excel 2007 service pack 3 (1)
- 10 CVE5 critCVSS 8.6KEV 1Nuclei 1PoC 3debian gnu/linux (5) · linux (4) · libvncserver (2)
- 9 CVECVSS 5.5NEWPoC 1bluez (9)
- 7 CVECVSS 5.4PoC 3hybris (4) · download manager (2) · solution manager (1)
- 6 CVE1 critCVSS 7.8PoC 3ubuntu linux (6)
- 6 CVECVSS 7.4NEWPoC 5smartos (6)
- 6 CVE1 critCVSS 7.8NEWrabbitmq (2) · cloud foundry elastic runtime (1) · cloud foundry ops manager (1)
- 6 CVE1 critCVSS 7.5×3.0simatic s7-400 cpu firmware (2) · simatic s7-300 cpu firmware (2) · sicam pas\/pqs (2)
- 5 CVE3 critCVSS 8.9KEV 1Nuclei 1PoC 4joomla\! (5)
- 5 CVECVSS 6.7kmail (3) · kde-cli-tools (1) · kscreenlocker (1)
- 5 CVE1 critCVSS 7.3sicam pas (2) · simatic s7-300 cpu family (2) · simatic s7-300 cpu family (incl. related et200 cpus and siplus variants) (2)
- 5 CVE4 critCVSS 9.1PoC 1astra linux special edition (4) · astra linux special edition для «эльбрус» (1) · astra linux common edition (1)
- 4 CVECVSS 6.8×4.0PoC 1citry bios (1) · city bios (1) · graphics driver (1)
- 4 CVECVSS 6.7piwigo (4)
- 4 CVE1 critCVSS 8.3django (2) · bottle (1) · python-docx (1)
- 3 CVECVSS 7.4PoC 3apport (3)
- 3 CVE1 critCVSS 8.4NEWPoC 2bladelogic server automation console (1) · patrol (1) · remedy action request system (1)
- 3 CVE1 critCVSS 7.9vmware vsphere client (3) · vmware aria automation (1)
- 3 CVECVSS 6.5PoC 2mariadb (3)
- 3 CVECVSS 6.3org.springframework:spring-webmvc (1) · org.apache.tika:tika-server (1) · org.owasp.antisamy:antisamy (1)
- 3 CVECVSS 7.3modx revolution (3)
- 3 CVE2 critCVSS 8.7PoC 1pcre (3) · pcre2 (2)
- 3 CVE1 critCVSS 7.9×3.0serendipity (3)
- 3 CVE3 critCVSS 9.8samsung mobile (3)
- 3 CVE3 critCVSS 9.8NEWsamsung mobile (3)
- 3 CVECVSS 6.1NEWspip (3)
| # | Vendor | CVEs | Crit | KEV | Nuclei | Signals | Top products | Δ | |
|---|---|---|---|---|---|---|---|---|---|
| 1 | phpmyadmin | 48 | 5 | · | · | ×12.0 | phpmyadmin (48) | — | |
| 2 | qemu | 46 | · | · | · | ×11.5 | qemu (46) | — | |
| 3 | microsoft | 41 | 1 | 1 | · | KEV 1PoC 5 | edge (11) · windows 10 (10) · windows server 2016 (10) | — | |
| 4 | debian | 38 | 2 | · | · | debian linux (38) | — | ||
| 5 | cisco | 33 | 1 | · | · | PoC 1 | web security appliance (3) · email security appliance (3) · ios (3) | — | |
| 6 | tats | 31 | · | · | · | NEW | w3m (31) | — | |
| 7 | adobe | 30 | 3 | 1 | · | KEV 1PoC 1 | flash player (17) · flash player desktop runtime (17) · experience manager (5) | — | |
| 8 | packagist | 26 | 6 | 1 | 1 | ×3.7KEV 1Nuclei 1PoC 4 | phpmyadmin/phpmyadmin (22) · phpmailer/phpmailer (2) · swiftmailer/swiftmailer (1) | — | |
| 9 | open-xchange | 24 | · | · | · | PoC 10 | open-xchange appsuite (19) · ox guard (5) | — | |
| 10 | 22 | · | · | · | chrome (13) · android (9) | — | |||
| 11 | vmware | 21 | 3 | · | · | ×21.0PoC 2 | workstation player (7) · workstation pro (7) · tools (3) | — | |
| 12 | adobe systems inc. | 19 | 2 | 1 | · | KEV 1 | flash player for linux (17) · flash player (17) · indesign server (1) | — | |
| 13 | linux | 19 | · | · | · | PoC 2 | linux kernel (19) | — | |
| 14 | fedoraproject | 18 | 11 | · | · | PoC 1 | fedora (18) | — | |
| 15 | nvidia | 15 | · | · | · | ×5.0 | gpu driver (14) · geforce experience (1) | — | |
| 16 | nvidia corporation | 15 | · | · | · | NEW | quadro, nvs, geforce, grid and tesla (8) · windows gpu display driver (6) · geforce experience (1) | — | |
| 17 | oracle | 13 | 5 | · | · | PoC 4 | solaris (10) · mysql (3) | — | |
| 18 | x.org | 13 | 9 | · | · | libxi (2) · libx11 (2) · libxrandr (2) | — | ||
| 19 | opensuse | 12 | 1 | · | · | leap (12) · opensuse (2) | — | ||
| 20 | ffmpeg | 11 | · | · | · | ×3.7 | ffmpeg (11) | — | |
| 21 | ibm | 11 | 1 | · | · | powerkvm (3) · filenet workplace (2) · connections (1) | — | ||
| 22 | redhat | 11 | 1 | · | · | virtualization (7) · openstack (6) · enterprise linux (2) | — | ||
| 23 | fabrice bellard | 10 | · | · | · | ×10.0 | qemu (10) | — | |
| 24 | imagemagick | 10 | 6 | · | · | NEWPoC 1 | imagemagick (10) | — | |
| 25 | microsoft corp | 10 | 1 | 1 | · | KEV 1PoC 1 | internet explorer (6) · microsoft edge (5) · microsoft excel 2007 service pack 3 (1) | — | |
| 26 | сообщество свободного программного обеспечения | 10 | 5 | 1 | 1 | KEV 1Nuclei 1PoC 3 | debian gnu/linux (5) · linux (4) · libvncserver (2) | — | |
| 27 | bluez | 9 | · | · | · | NEWPoC 1 | bluez (9) | — | |
| 28 | sap | 7 | · | · | · | PoC 3 | hybris (4) · download manager (2) · solution manager (1) | — | |
| 29 | canonical | 6 | 1 | · | · | PoC 3 | ubuntu linux (6) | — | |
| 30 | joyent | 6 | · | · | · | NEWPoC 5 | smartos (6) | — | |
| 31 | pivotal software | 6 | 1 | · | · | NEW | rabbitmq (2) · cloud foundry elastic runtime (1) · cloud foundry ops manager (1) | — | |
| 32 | siemens | 6 | 1 | · | · | ×3.0 | simatic s7-400 cpu firmware (2) · simatic s7-300 cpu firmware (2) · sicam pas\/pqs (2) | — | |
| 33 | joomla | 5 | 3 | 1 | 1 | KEV 1Nuclei 1PoC 4 | joomla\! (5) | — | |
| 34 | kde | 5 | · | · | · | kmail (3) · kde-cli-tools (1) · kscreenlocker (1) | — | ||
| 35 | siemens ag | 5 | 1 | · | · | sicam pas (2) · simatic s7-300 cpu family (2) · simatic s7-300 cpu family (incl. related et200 cpus and siplus variants) (2) | — | ||
| 36 | ооо «русбитех-астра» | 5 | 4 | · | · | PoC 1 | astra linux special edition (4) · astra linux special edition для «эльбрус» (1) · astra linux common edition (1) | — | |
| 37 | intel | 4 | · | · | · | ×4.0PoC 1 | citry bios (1) · city bios (1) · graphics driver (1) | — | |
| 38 | piwigo | 4 | · | · | · | piwigo (4) | — | ||
| 39 | pypi | 4 | 1 | · | · | django (2) · bottle (1) · python-docx (1) | — | ||
| 40 | apport project | 3 | · | · | · | PoC 3 | apport (3) | — | |
| 41 | bmc | 3 | 1 | · | · | NEWPoC 2 | bladelogic server automation console (1) · patrol (1) · remedy action request system (1) | — | |
| 42 | broadcom inc. | 3 | 1 | · | · | vmware vsphere client (3) · vmware aria automation (1) | — | ||
| 43 | mariadb | 3 | · | · | · | PoC 2 | mariadb (3) | — | |
| 44 | maven | 3 | · | · | · | org.springframework:spring-webmvc (1) · org.apache.tika:tika-server (1) · org.owasp.antisamy:antisamy (1) | — | ||
| 45 | modx | 3 | · | · | · | modx revolution (3) | — | ||
| 46 | pcre | 3 | 2 | · | · | PoC 1 | pcre (3) · pcre2 (2) | — | |
| 47 | s9y | 3 | 1 | · | · | ×3.0 | serendipity (3) | — | |
| 48 | samsung | 3 | 3 | · | · | samsung mobile (3) | — | ||
| 49 | samsung electronics | 3 | 3 | · | · | NEW | samsung mobile (3) | — | |
| 50 | spip | 3 | · | · | · | NEW | spip (3) | — |