CVE Tools
Sign in
month report

September 2025

Data as of Jun 4, 2026, 13:26 UTCSnapshot v1 Sources NVD+CISA KEV+EPSS+Nuclei templates Methodology →

September 2025 closed with 4,664 published CVEs. 278 criticals, 16 added to CISA KEV (1 ransomware-linked). linux led volume, mostly via linux. Biggest breakout: itsourcecode at ×13.8 their 12-month median. Top weakness class — CWE-79 (696 CVE). 10 vendors cracked the top-100 for the first time.

Print view
Total CVEs
4,664
— MoM— YoY
Severity mix
278 / 1,422
critical / high
KEV added
16
1 ransomware-linked
Nuclei coverage
18.5%
862 CVEs with templates

Time to exploit

How fast the community ships detection after a CVE drops.

Days → Nuclei (median)
165.1
n=862
Within 7 days
0.0%
Within 30 days
0.0%
Days → KEV (median)
16
n=14
Detection gap

KEV pressure, no Nuclei coverage

September 2025 · vendors with active exploitation listed by CISA but no public detection template.

Weakness × Vendor

What's spreading where in September 2025

Cells shaded by share of vendor's hottest weakness. Click any cell to open the CWE history.

79XSS89SQL Injection74Injection862Missing Authorization476NULL Pointer Dereference352CSRF401CWE-401416Use After Free94Code Injection284CWE-284linux14112479сообщество свободного программного обеспечения329469622ооо «русбитех-астра»1143382611red hat inc.384333canonical ltd.1264120google2111103ао «ивк»1258191debian25513ооо «ред софт»222191ао «сбертех»24717microsoft corp2918npm1112163

Breakout vendors

CVE count ≥3× their own 12-period median.

First time in top-100

Vendors never in top-100 in the prior 24 periods.

Top vendors

Ranked by distinct CVE count this period.

  • 1linux
    737 CVECVSS 6.1
    PoC 3
    linux (737) · linux kernel (737)
  • 2сообщество свободного программного обеспечения
    540 CVE9 critCVSS 6.2
    Nuclei 2PoC 13
    linux (484) · debian gnu/linux (292) · pytorch (12)
  • 3ооо «русбитех-астра»
    288 CVE6 critCVSS 6.5
    KEV 2PoC 10
    astra linux special edition (280) · astra linux common edition (42) · parsec (31)
  • 4red hat inc.
    256 CVE3 critCVSS 6.3
    Nuclei 1PoC 2
    red hat enterprise linux (251) · openshift container platform (2) · red hat virtualization (2)
  • 5canonical ltd.
    198 CVE1 critCVSS 6.2
    PoC 2
    ubuntu (198)
  • 6google
    178 CVE9 critCVSS 7.0
    KEV 2PoC 3
    android (164) · chrome (12) · tensorflow (2)
  • 7ао «ивк»
    174 CVE2 critCVSS 6.4
    KEV 1PoC 5
    альт сп 10 (174) · альт 8 сп (57)
  • 8debian
    139 CVECVSS 6.4
    ×11.6KEV 1PoC 3
    debian linux (139)
  • 9ооо «ред софт»
    133 CVE7 critCVSS 6.1
    KEV 2Nuclei 1PoC 15
    ред ос (133) · ред база данных (4)
  • 10ао «сбертех»
    126 CVECVSS 6.2
    KEV 1PoC 7
    platform v sberlinux os server (126)
  • 11microsoft corp
    106 CVE5 critCVSS 7.1
    KEV 1PoC 6
    windows server 2025 (server core installation) (59) · windows server 2025 (59) · windows server 2022, 23h2 edition (server core installation) (57)
  • 12npm
    100 CVE12 critCVSS 7.5
    Nuclei 5PoC 33
    flowise (6) · @anthropic-ai/claude-code (4) · express-xss-sanitizer (2)
  • 13microsoft
    99 CVE4 critCVSS 7.1
    PoC 5
    windows server 2025 (server core installation) (59) · windows server 2025 (59) · windows server 2022 23h2 (57)
  • 14maven
    90 CVE6 critCVSS 6.1
    Nuclei 4PoC 1
    com.liferay.portal:release.portal.bom (8) · com.liferay.portal:com.liferay.portal.impl (5) · org.jenkins-ci.main:jenkins-core (3)
  • 15google inc
    86 CVE2 critCVSS 7.1
    ×3.1KEV 4PoC 2
    android (68) · google chrome (13) · android studio (4)
  • 16apple
    83 CVE6 critCVSS 6.4
    macos (75) · ios and ipados (29) · ipados (28)
  • 17campcodes
    72 CVECVSS 6.8
    PoC 72
    online learning management system (18) · grocery sales and inventory system (15) · computer sales and inventory system (10)
  • 18sourcecodester
    69 CVECVSS 6.6
    PoC 67
    pet grooming management software (20) · online student file management system (8) · student grading system (7)
  • 19pypi
    56 CVE4 critCVSS 6.9
    Nuclei 2PoC 10
    picklescan (6) · ethyca-fides (4) · transformers (3)
  • 20go
    55 CVE11 critCVSS 6.8
    Nuclei 4PoC 8
    github.com/dragonflyoss/dragonfly (11) · d7y.io/dragonfly/v2 (11) · github.com/mattermost/mattermost/server/v8 (6)
  • 21itsourcecode
    55 CVECVSS 6.4
    ×13.8PoC 54
    pos point of sale system (9) · student information management system (8) · open source job portal (7)
  • 22liferay
    50 CVECVSS 5.9
    dxp (50) · portal (49) · digital experience platform (49)
  • 23phpgurukul
    49 CVE9 critCVSS 7.1
    ×3.8PoC 34
    online fire reporting system (9) · beauty parlour management system (9) · small crm (5)
  • 24ао "нппкт"
    47 CVE6 critCVSS 7.3
    KEV 1PoC 4
    осон основа оnyx (47)
  • 25tenda
    45 CVE2 critCVSS 7.4
    ×5.0PoC 22
    g3 firmware (13) · f3 firmware (5) · ac18 firmware (4)
  • 26ibm
    44 CVECVSS 5.7
    concert software (7) · concert (7) · watsonx.data (4)
  • 27vasion
    41 CVE19 critCVSS 8.5
    NEWPoC 19
    virtual appliance application (41) · virtual appliance host (41) · print virtual appliance host (41)
  • 28samsung mobile
    40 CVECVSS 5.7
    KEV 2
    samsung mobile devices (28) · s assistant (3) · samsung calendar (1)
  • 29shenzhen tenda technology co., ltd.
    40 CVE2 critCVSS 7.5
    PoC 19
    tenda g3 (13) · tenda f3 (5) · tenda ac9 (3)
  • 30samsung
    39 CVECVSS 6.0
    KEV 2
    android (26) · sassistant (3) · notes (2)
  • 31nvidia
    36 CVE1 critCVSS 5.7
    nvidia cuda toolkit (12) · cuda toolkit (10) · triton inference server (5)
  • 32code-projects
    34 CVECVSS 6.5
    PoC 32
    hostel management system (8) · simple scheduling system (6) · online bidding system (6)
  • 33apprain
    32 CVE3 critCVSS 5.8
    NEW
    apprain (32) · apprain cmf (32)
  • 34cisco
    32 CVE2 critCVSS 6.2
    KEV 3Nuclei 1PoC 32
    cisco ios xe software (14) · ios (5) · cisco ios xr software (4)
  • 35fabian
    31 CVECVSS 6.7
    ×7.8PoC 29
    online bidding system (6) · simple scheduling system (6) · online hotel reservation system (5)
  • 36apple inc.
    30 CVE5 critCVSS 6.6
    ipados (23) · ios (23) · macos (22)
  • 37ashlar
    30 CVECVSS 7.8
    cobalt (22) · graphite (8)
  • 38ashlar-vellum
    30 CVECVSS 7.8
    cobalt (22) · graphite (8)
  • 39amd
    28 CVECVSS 5.7
    amd ryzen™ 7030 series mobile processors with radeon™ graphics (12) · amd ryzen™ 5000 series mobile processors with radeon™ graphics (12) · amd ryzen™ 4000 series mobile processors with radeon™ graphics (11)
  • 40nvidia corp.
    28 CVE1 critCVSS 5.8
    nvidia cuda toolkit (12) · megatron-lm (4) · nvidia triton inference server (4)
  • 41packagist
    28 CVE1 critCVSS 6.0
    KEV 1Nuclei 2PoC 4
    mautic/core (4) · typo3/cms-core (3) · typo3/cms-backend (3)
  • 42angeljudesuarez
    27 CVECVSS 6.7
    ×5.4PoC 26
    hostel management system (9) · open source job portal (7) · sports management system (6)
  • 43d-link corp.
    27 CVECVSS 6.7
    PoC 22
    dir-823x (12) · dir-852 (4) · di-8003g (2)
  • 44cisco systems inc.
    26 CVE1 critCVSS 5.3
    KEV 2Nuclei 1PoC 26
    cisco ios xe (5) · cisco evolved programmable network manager (3) · cisco ios xr (3)
  • 45portabilis
    26 CVECVSS 5.2
    NEWPoC 24
    i-educar (26)
  • 46dlink
    25 CVECVSS 6.9
    PoC 20
    dir-823x firmware (12) · dir-852 firmware (4) · dir-825 firmware (2)
  • 47ibm corp.
    25 CVECVSS 5.8
    ibm security verify information queue (3) · diamondback tape (2) · ibm license metric tool (2)
  • 48adobe
    24 CVE2 critCVSS 6.9
    KEV 1Nuclei 3
    adobe experience manager (7) · experience manager (7) · substance3d - viewer (3)
  • 49d-link
    24 CVECVSS 6.7
    ×3.0PoC 19
    dir-823x (11) · dir-852 (4) · di-8003g (2)
  • 50linuxfoundation
    24 CVE2 critCVSS 6.4
    ×3.0
    pytorch (12) · dragonfly (11) · yocto (1)

Top weaknesses

CWE classes by distinct CVE count.

1CWE-79696
2CWE-89358
3CWE-74292
4CWE-862205
5CWE-476179
6CWE-352160
7CWE-401155
8CWE-416137
9CWE-94134
10CWE-284121
11CWE-125119
12CWE-78796
13CWE-7789
14CWE-7883
15CWE-2277
16CWE-43475
17CWE-2071
18CWE-91871
19CWE-20067
20CWE-26663