2026 Vulnerability Statistics Report
11 Years of Security Insight
Welcome to the 11th edition of the Edgescan Vulnerability Statistics Report. Drawing from thousands of security assessments and penetration tests conducted globally throughout 2025, this report delivers authoritative insights into the cybersecurity landscape across hundreds of organisations and industries worldwide.
In 2025, a record-breaking 48,185 CVEs were published. Threat actors weaponised new vulnerabilities within hours of disclosure. And the gap between detection and remediation remained wide, with high/critical application vulnerabilities taking an average of 54.81 days to close.
- Across the full stack, more than 20% of discovered internet-facing vulnerabilities were of critical or high severity.
- SQL Injection (CWE-89) remains the most common critical web application vulnerability, as it has since 2022.
- Application/API high/critical severity: average MTTR 54.81 days. Device/network high/critical severity: average MTTR 39 days.
- In 2025, 48,185 Common Vulnerabilities and Exposures (CVEs) were published, a new record.
- The CISA Known Exploited Vulnerabilities (KEV) catalog contained 1,484 vulnerabilities by end of 2025, with 246 added during the year.
- For larger enterprises (1,000+ employees), 37% of vulnerabilities discovered in a 12-month period remain unresolved.
Some rare vulnerabilities cause outsized damage when exploited—”intensive rather than extensive risk.” No single risk scoring system is sufficient. EPSS, CISA KEV, CVSS, and SSVC offer valuable but sometimes contradictory guidance.
Production patching remains difficult, reflected in our MTTR statistics. Continuous assessment visibility is essential. Internal networks show alarming security gaps, with vulnerabilities compounding across the technology stack.
CVEs from 2015 are still being discovered and exploited by modern malware. Attack Surface Management is critical—too many sensitive systems remain exposed due to poor visibility.
This report helps prioritize what matters across industries, because not all vulnerabilities are equal threats.
— Eoin Keary, CEO & Founder
Previous Editions of the Report
Overview of the Edgescan Vulnerability Stats Report
Since 2015 Edgescan has annually produced the Vulnerability Statistics Report to provide a global snapshot of the overall state of cybersecurity. The report presents a by-the-numbers insight into trends and statistics looking back across a 12-month data set from the previous year, including cyber threats, data breaches, and cyber attacks. Every year the report provides a statistical model, that is presented using infographics and charts, of the most common weaknesses faced by enterprises to enable data-driven decisions for managing risks and exposures more effectively.
This yearly report has become a reliable source for approximating the global state of vulnerability management. This is exemplified by our unique dataset being part of the Verizon Data Breach Report (DBIR), which is the de facto standard for insights into the common drivers for incidents and breaches today.
Methodology of Data Collection
The vulnerability data analyzed for the Edgescan Vulnerability Statistics Report was collected from thousands of security assessments and penetration tests performed on millions of assets; this growing collection of intelligence is stored in our data lake and shared amongst the solutions that comprise the Edgescan Platform.
Vulnerability data was sourced from over 250 companies of various sizes, Fortune 500 to medium and small businesses, across 30 industry verticals.
Ready for security that is fast, accurate and quiet?
Experience the hybrid advantage of AI Scale + Human Validation.