{"vulnerability": "cve-2025-6703", "sightings": [{"uuid": "d69b6e74-cc66-4e37-be5b-20620790730f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6703", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lsj5hcwruh2r", "content": "", "creation_timestamp": "2025-06-26T12:39:34.957339Z"}, {"uuid": "58ef17be-6ca3-4f99-9103-74f905e84a2f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67039", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02", "content": "", "creation_timestamp": "2026-03-10T11:00:00.000000Z"}, {"uuid": "33423a92-46bf-433c-9db7-e97c323bb850", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67034", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02", "content": "", "creation_timestamp": "2026-03-10T11:00:00.000000Z"}, {"uuid": "f82a2129-0930-4b8e-9366-69f5cd57955a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67035", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02", "content": "", "creation_timestamp": "2026-03-10T11:00:00.000000Z"}, {"uuid": "6fe0265f-fb8b-4510-837f-e5d9b1de3768", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67036", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02", "content": "", "creation_timestamp": "2026-03-10T11:00:00.000000Z"}, {"uuid": "2936de00-fc96-4bf1-b7c9-d84a38f77835", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67037", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02", "content": "", "creation_timestamp": "2026-03-10T11:00:00.000000Z"}, {"uuid": "f986f301-7c28-4f87-904a-052414013228", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02", "content": "", "creation_timestamp": "2026-03-10T11:00:00.000000Z"}, {"uuid": "cc8694fb-57fb-4878-ab19-a581006be196", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-67037", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/49b900ec-633f-4111-a614-2dc8b0b77752", "content": "", "creation_timestamp": "2026-03-11T11:00:58.256308Z"}, {"uuid": "c5ad8e74-5884-4b97-85c6-bcc9c831b29c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-67035", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/49b900ec-633f-4111-a614-2dc8b0b77752", "content": "", "creation_timestamp": "2026-03-11T11:00:58.256308Z"}, {"uuid": "421ed2e4-d2a6-4c3d-8c76-8fef7112914f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-67034", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/49b900ec-633f-4111-a614-2dc8b0b77752", "content": "", "creation_timestamp": "2026-03-11T11:00:58.256308Z"}, {"uuid": "a2971acf-fdd4-4e14-968f-8563d8c5a6cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-67039", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/49b900ec-633f-4111-a614-2dc8b0b77752", "content": "", "creation_timestamp": "2026-03-11T11:00:58.256308Z"}, {"uuid": "42b5cc92-dca6-41bd-9af4-265fea5f0b7e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-67036", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/49b900ec-633f-4111-a614-2dc8b0b77752", "content": "", "creation_timestamp": "2026-03-11T11:00:58.256308Z"}, {"uuid": "a8d1ffa6-b5ac-418d-bbb1-301458cda544", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "c933734a-9be8-4142-889e-26e95c752803", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/49b900ec-633f-4111-a614-2dc8b0b77752", "content": "", "creation_timestamp": "2026-03-11T11:00:58.256308Z"}, {"uuid": "38974239-1ddd-4326-8646-84b8d779e301", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67030", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mieg3xyw3g26", "content": "", "creation_timestamp": "2026-03-31T14:45:17.928949Z"}, {"uuid": "a8cfa263-7a72-4a46-b326-6fa040075123", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-67030", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0381/", "content": "", "creation_timestamp": "2026-03-30T17:00:00.000000Z"}, {"uuid": "6d2eb43c-66f6-497f-b9a8-b17cba5e8a0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6703", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/19581", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-6703\n\ud83d\udd25 CVSS Score: 2.3 (cvssV4_0, Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/R:A/RE:L/U:Clear)\n\ud83d\udd39 Description: Improper Input Validation vulnerability in Mozilla neqo leads to an unexploitable crash..This issue affects neqo: from 0.4.24 through 0.13.2.\n\ud83d\udccf Published: 2025-06-26T09:30:03.893Z\n\ud83d\udccf Modified: 2025-06-26T09:30:03.893Z\n\ud83d\udd17 References:\n1. https://github.com/mozilla/neqo/security/advisories/GHSA-jfv6-x22w-grhf", "creation_timestamp": "2025-06-26T09:50:40.000000Z"}, {"uuid": "0bfb1179-1c79-4e32-aa6a-e86f774ce428", "vulnerability_lookup_origin": "405284c2-e461-4670-8979-7fd2c9755a60", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/64a89941-4f82-4d29-92b5-c82e90d75581", "content": "", "creation_timestamp": "2026-06-23T18:00:02.348917Z"}, {"uuid": "85211c82-5d0b-4804-96c0-07b930b30274", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/cvesentinel.bsky.social/post/3moxyrhdofq2w", "content": "\ud83d\uded1 CVE-2025-67038\nLantronix EDS5000\nKEV \u2705\nTL;DR: Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS comm\u2026\nhttps://cvesentinel.com/report/CVE-2025-67038?utm_source=bluesky&amp;utm_medium=social&amp;utm_campaign=cvesentinel\n#infosec #CVE #vulnerability", "creation_timestamp": "2026-06-23T18:11:08.238262Z"}, {"uuid": "32bec605-56c5-4260-a39f-dd10120ab5d7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://feedsin.space/feed/CISAKevBot/items/6817247", "content": "2026-06-23: [CVE-2025-67038] Lantronix EDS5000 Code Injection VulnerabilityLantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.\ncisakev", "creation_timestamp": "2026-06-23T18:43:03.974852Z"}, {"uuid": "4629e273-f94c-468f-9def-554b54eb4128", "vulnerability_lookup_origin": "caeb2787-0d58-4236-9039-7c86c3e566f3", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/8e8a4f05-9e1b-4d1f-b0d9-81ac83a41432", "content": "", "creation_timestamp": "2026-06-23T19:00:19.730346Z"}, {"uuid": "396dd29f-09b8-489e-a850-b1f6b6f70a7e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://infosec.exchange/users/AAKL/statuses/116800974631729730", "content": "CISA has updated the KEV catalogue:\n-  CVE-2026-34908: Ubiquiti UniFi OS Improper Access Control Vulnerability https://www.cve.org/CVERecord?id=CVE-2026-34908\n-  CVE-2026-34909: Ubiquiti UniFi OS Path Traversal Vulnerability https://www.cve.org/CVERecord?id=CVE-2026-34909\n-  CVE-2026-34910: Ubiquiti UniFi OS Improper Input Validation Vulnerability https://www.cve.org/CVERecord?id=CVE-2026-34910\n-  CVE-2025-67038: Lantronix EDS5000 Code Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-67038 #CISA #infosec #vulnerability", "creation_timestamp": "2026-06-23T19:03:54.948475Z"}, {"uuid": "dec86f0c-083e-42eb-b593-ba56879dec7c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av26-241", "content": "", "creation_timestamp": "2026-06-23T13:23:46.000000Z"}, {"uuid": "1d4bc8ae-263e-48bb-b82b-c94fb2118860", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mp2jtiqaem2t", "content": "CISA warns of active exploitation of CVE-2025-67038 in Lantronix EDS5000 devices and requires FCEB agencies to patch by June 26, 2026.\n", "creation_timestamp": "2026-06-24T18:21:50.357083Z"}, {"uuid": "1edcb317-188c-44a5-a002-b874c95976af", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/thecybermind.co/post/3mp2ke4vlip2i", "content": "For the Boardroom: A critical unauthenticated code injection flaw (CVE-2025-67038) in Lantronix EDS5000 servers is under active exploitation. Read the full C-SUITE threat advisory on mitigating this operational risk. Ping the word 'ok' mike@thecybermind.co to upgrade your intel.\u2026", "creation_timestamp": "2026-06-24T18:31:08.622931Z"}, {"uuid": "d9bdc175-7964-44f9-a629-093cf2695926", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mp2kjb7ddq42", "content": "CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited TheHackerNews CISA says CVE-2025-67038 in Lantronix EDS5000 devices is under active exploitation and urges federal agencies to...\n\n#Security #News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-06-24T18:34:24.069572Z"}, {"uuid": "8456089f-f692-4e32-9675-ab0676234dcb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html", "content": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026.\n\nThe vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution", "creation_timestamp": "2026-06-24T19:00:49.912745Z"}, {"uuid": "c95ddfcd-def5-4a9e-9a74-192af15b3c1d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/bitnewsbot.bsky.social/post/3mp2nvzr5n62o", "content": "A critical command injection flaw (CVE-2025-67038) in Lantronix EDS5000 devices is being actively exploited, allowing attackers to execute arbitrary commands [\u2026]", "creation_timestamp": "2026-06-24T19:34:50.897252Z"}, {"uuid": "63291cbb-fa8d-4245-9b52-ebf1bdeff29f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mp2ykuptxg2e", "content": "CISA says CVE-2025-67038 in Lantronix EDS5000 devices is actively exploited, enabling command injection and elevated code execution. UniFi OS flaws are also being chained for root-level compromise. #Lantronix #UniFiOS #CVE2025", "creation_timestamp": "2026-06-24T22:45:27.229497Z"}, {"uuid": "7b7b500b-41f7-4c8f-8ded-9beea48849e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/newssecia.bsky.social/post/3mp34apu6ef2n", "content": "\ud83e\udd16 CVE-2025-67038 (CVSS 9.8): Critical code injection in Lantronix EDS5000 actively exploited. CISA KEV added. OT/industrial devices at risk, patch urgently.\n\nhttps://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html", "creation_timestamp": "2026-06-24T23:51:20.840961Z"}, {"uuid": "b8c2472c-5685-4aa8-b068-6fbec01d4afd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html", "content": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026.\n\nThe vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution", "creation_timestamp": "2026-06-25T01:00:41.468724Z"}, {"uuid": "30afc9a6-918c-41b1-866f-d7a52b3f3b42", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mp4dyr6agk2s", "content": "CVE-2025-67038 is being exploited against Lantronix EDS5000 device servers, enabling unauthenticated root command injection and potential network takeover.\n", "creation_timestamp": "2026-06-25T11:42:44.108822Z"}, {"uuid": "9f778fd5-e2ec-43da-9ddf-f85c1dea3675", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mp4ezc5qxbx2", "content": "Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning The exploited flaw, CVE-2025-67038, is one of the vulnerabilities disclosed in April as part of the BRIDGE:BREAK r...\n\n#ICS/OT #Vulnerabilities #exploited #ICS #Lantronix #OT\n\nOrigin | Interest | Match", "creation_timestamp": "2026-06-25T12:01:01.581994Z"}, {"uuid": "8989f8fc-8baf-4891-a27c-1195f7a057e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://infosec.exchange/users/edwardk/statuses/116810657862908202", "content": "CISA warns of max-severity Ubiquiti flaws exploited in attacks\u2028Source URL: https://www.bleepingcomputer.com/news/security/cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks/\u2028CISA added actively exploited vulnerabilities affecting Ubiquiti UniFi OS and Lantronix EDS5000 serial-to-Ethernet servers to its Known Exploited Vulnerabilities catalogue and, under BOD 26-04, directed U.S. federal agencies to apply available updates or vendor-recommended mitigations within three days. The Ubiquiti flaws include an access-control bypass, directory/path traversal and improper input validation that could enable command execution, with researchers showing the issues can be chained for full remote code execution on vulnerable UniFi OS devices. The Lantronix issue, CVE-2025-67038, is a critical root-level command-injection flaw in the HTTP RPC module, making urgent patching, exposure review and compensating controls appropriate for organizations running these products.", "creation_timestamp": "2026-06-25T12:06:29.293676Z"}, {"uuid": "21e33a51-16a0-4256-a290-cad18d9e2e94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://threatintel.cc/2026/06/25/cisa-warns-of-maxseverity-ubiquiti.html", "content": "Source URL: www.bleepingcomputer.com/news/secu&hellip;\u2028CISA added actively exploited vulnerabilities affecting Ubiquiti UniFi OS and Lantronix EDS5000 serial-to-Ethernet servers to its Known Exploited Vulnerabilities catalogue and, under BOD 26-04, directed U.S. federal agencies to apply available updates or vendor-recommended mitigations within three days. The Ubiquiti flaws include an access-control bypass, directory/path traversal and improper input validation that could enable command execution, with researchers showing the issues can be chained for full remote code execution on vulnerable UniFi OS devices. The Lantronix issue, CVE-2025-67038, is a critical root-level command-injection flaw in the HTTP RPC module, making urgent patching, exposure review and compensating controls appropriate for organizations running these products.", "creation_timestamp": "2026-06-25T13:00:44.600118Z"}, {"uuid": "95803221-bbf9-40a6-ad1d-d3017899f8f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmg6y224", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:40.831921Z"}, {"uuid": "f18ddb1c-61f1-409d-9dde-bebdb317745d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmgiqk24", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:41.714845Z"}, {"uuid": "a9034738-68c5-4e7e-b019-fe151e8229a3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmgjps24", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:42.561899Z"}, {"uuid": "cacf17fb-f497-4c97-9fab-6c03aade8563", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmgkp224", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:43.377487Z"}, {"uuid": "058aefda-0fef-4f4c-ad34-d885b0f6e664", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmgloc24", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:44.243589Z"}, {"uuid": "34166454-c1a3-4e3b-8b48-c3e8f179926d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmgmnk24", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:45.072260Z"}, {"uuid": "f1383a1f-a816-4d60-977f-915104aa92b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmgnms24", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:45.913088Z"}, {"uuid": "7a973e22-7061-4209-b981-ace03f7e474c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmgnmt24", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:46.742546Z"}, {"uuid": "45af30e6-99c3-4ec1-9d4e-a6130423a12f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3mp4jsmgnmu24", "content": "5/ \u26a0\ufe0f CISA: CVE-2025-67038 actively exploited in Lantronix EDS5000 devices. CVSS 9.8. OS command injection runs as root. Fed agencies patch by June 26. That's TOMORROW. Don't snooze on this.", "creation_timestamp": "2026-06-25T13:26:47.581867Z"}, {"uuid": "160198e3-8fac-4cd3-b636-c69f9fe3cc6e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mp4tak7oo223", "content": "CISA says CVE-2025-67038 is actively exploited in Lantronix EDS5000 serial-to-IP devices, where unauthenticated command injection can grant root access, enabling takeover, lateral movement, and data theft. #CVE2025 #Lantronix #OTSecurity", "creation_timestamp": "2026-06-25T16:15:30.522298Z"}, {"uuid": "30f351fe-b31f-44ce-b5d2-9abb697846e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://mastodon.social/ap/users/115426718704364579/statuses/116811816664558410", "content": "\ud83d\udcf0 CISA Mandates Urgent Patching for Actively Exploited Flaws in Lantronix and Ubiquiti Devices\n\ud83d\udea8 CISA KEV ALERT: Critical flaws in Lantronix EDS5000 (CVE-2025-67038) &amp; Ubiquiti UniFi OS (CVE-2026-34908) are actively exploited. Unauthenticated RCE with root access possible. Patch immediately! #CyberSecurity #Vulnerability #PatchNow\n\ud83c\udf10 cyber[.]netsecops[.]io\n\ud83d\udd17 https://cyber.netsecops.io/articles/cisa-adds-critical-lantronix-and-ubiquiti-flaws-to-kev-catalog/?utm_sourc\u2026", "creation_timestamp": "2026-06-25T17:01:17.840956Z"}, {"uuid": "d3a066f6-fd5d-491e-b9ec-aaf239740a7f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/netsecio.bsky.social/post/3mp4vsuypfp2r", "content": "\ud83d\udea8 CISA KEV ALERT: Critical flaws in Lantronix EDS5000 (CVE-2025-67038) &amp; Ubiquiti UniFi OS (CVE-2026-34908) are actively exploited. Unauthenticated RCE with root access possible. Patch immediately! #CyberSecurity #Vulnerability #PatchNow\n\n\ud83c\udf10 cyber[.]netsecops[.]io", "creation_timestamp": "2026-06-25T17:01:33.902549Z"}, {"uuid": "f8fa8f04-7934-4fe3-a139-7480bc444410", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/iberianm.bsky.social/post/3mp57sm6r6u2c", "content": "Lantronix EDS5000 Series: CISA warns CVE-2025-67038 is being actively exploited. Defenders should patch now and verify EDS5000 is updated before June 26, 2026. #Cybersecurity #Vulnerability #ThreatIntel\n\nSource: https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html", "creation_timestamp": "2026-06-25T20:00:22.370337Z"}, {"uuid": "3996b192-2c06-43d3-9552-6954ed254b7a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://threatintel.cc/2026/06/25/cisa-warns-of-maxseverity-ubiquiti.html", "content": "Source URL: www.bleepingcomputer.com/news/secu&hellip;\u2028CISA added actively exploited vulnerabilities affecting Ubiquiti UniFi OS and Lantronix EDS5000 serial-to-Ethernet servers to its Known Exploited Vulnerabilities catalogue and, under BOD 26-04, directed U.S. federal agencies to apply available updates or vendor-recommended mitigations within three days. The Ubiquiti flaws include an access-control bypass, directory/path traversal and improper input validation that could enable command execution, with researchers showing the issues can be chained for full remote code execution on vulnerable UniFi OS devices. The Lantronix issue, CVE-2025-67038, is a critical root-level command-injection flaw in the HTTP RPC module, making urgent patching, exposure review and compensating controls appropriate for organizations running these products.", "creation_timestamp": "2026-06-26T01:00:42.237651Z"}, {"uuid": "20044d6c-db08-4bc8-b152-f4f97de0c501", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/yazoul-alerts.bsky.social/post/3mp6q3zd5oa2k", "content": "CISA just added CVE-2025-67038 to its known exploited list.\n\nLantronix EDS5000 Series.\n\nhttps://www.yazoul.net/news/article/cisa-warns-critical-lantronix-eds5000-flaw-is-being-actively-exploited/\n\n#CyberSecurity #PatchNow", "creation_timestamp": "2026-06-26T10:24:37.442876Z"}, {"uuid": "b09ade8e-2161-47eb-9113-5f1de6ce406f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2025-67038", "type": "seen", "source": "https://bsky.app/profile/cyberveille-ch.bsky.social/post/3mp6vha5xql2h", "content": "\ud83d\udce2 CVE-2025-67038 : ex\u00e9cution de commandes arbitraires dans les convertisseurs Lantronix EDS5000 ajout\u00e9e au KEV CISA\n\ud83d\udcdd #\u2026\nhttps://cyberveille.ch/posts/2026-06-26-cve-2025-67038-execution-de-commandes-arbitraires-dans-les-convertisseurs-lantronix-eds5000-ajoutee-au-kev-cisa/ #Berserk_Bear #Cyberveille", "creation_timestamp": "2026-06-26T12:00:22.125100Z"}, {"uuid": "4ab40adb-1dfc-4406-b481-893d6d544619", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/yazoul-alerts.bsky.social/post/3mpb5j7jiya2i", "content": "CISA says this Lantronix flaw is being exploited right now. Your OT gear might be next.\n\nCVE-2025-67038.\n\nhttps://www.yazoul.net/news/article/cisa-warns-critical-lantronix-eds5000-flaw-is-being-actively-exploited/\n\n#InfoSec #DataBreach", "creation_timestamp": "2026-06-27T09:29:57.908573Z"}, {"uuid": "95f3209d-a787-447b-9a1f-41fe87ae0373", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/yazoul-alerts.bsky.social/post/3mpdplau6el2h", "content": "Your industrial network gear is getting pwned in real-time.\n\nCVE-2025-67038.\n\nhttps://www.yazoul.net/news/article/cisa-warns-critical-lantronix-eds5000-flaw-is-being-actively-exploited/\n\n#CyberSecurity #Security", "creation_timestamp": "2026-06-28T09:58:33.128161Z"}, {"uuid": "3f3551ce-f227-4053-ae0e-78e7eb467e92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2025-67038", "type": "seen", "source": "https://bsky.app/profile/etairos-ai.bsky.social/post/3mpdy4hggqf23", "content": "Unauth command injection = ROOT on Lantronix EDS5000 serial-to-IP boxes (the OT-to-network bridge). Actively exploited, now CISA KEV, thousands exposed. Get them off the internet: https://threat-intelligence.redeyesecurity.com/blog/lantronix-serial-to-ip-cve-2025-67038-ot-exploited-2026", "creation_timestamp": "2026-06-28T12:31:20.534454Z"}, {"uuid": "52c48fdf-ceea-457d-a034-297ad5211e17", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/technoholic.bsky.social/post/3mpgskviyfd2q", "content": "CISA warns of active CVE-2025-67038 (CVSS 9.8) flaw in Lantronix EDS5000 Series. FCEB agencies must fix by June 26, 2026, to prevent possible code injection and harm.", "creation_timestamp": "2026-06-29T15:30:01.588662Z"}, {"uuid": "854caed7-e304-4b01-ad57-f26c1ed08711", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/yazoul-alerts.bsky.social/post/3mph3j5iy442j", "content": "Your OT devices just became CISA's problem. And yours.\n\nCVE-2025-67038.\n\nhttps://www.yazoul.net/malware/mirai-2026-06/reports/2026-06-28/\n\n#CVE #CyberSecurity", "creation_timestamp": "2026-06-29T18:10:38.352445Z"}, {"uuid": "efb41bf8-ecc0-44f8-b4d9-f6da9a5a6f03", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/yazoul-alerts.bsky.social/post/3mpisgrwxkd2i", "content": "\u26a0\ufe0f CISA issued a warning. Not an advisory. A warning.\n\nCVE-2025-67038.\n\nhttps://www.yazoul.net/malware/mirai-2026-06/reports/2026-06-28/\n\n#InfoSec #ThreatIntel", "creation_timestamp": "2026-06-30T10:33:05.313312Z"}, {"uuid": "db04430a-cf97-4485-915f-84444ba2ab3f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://bsky.app/profile/geeknik.bsky.social/post/3mpjjhnwu7h2t", "content": "Patch-and-pray doesn't work in OT. Attackers reverse-engineered a Lantronix fix and exploited CVE-2025-67038 before the research even went public. Your patch is their roadmap.", "creation_timestamp": "2026-06-30T17:25:09.132081Z"}, {"uuid": "3c90480f-08ee-4cbc-8187-ae47f29ba7cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://www.jerrygamblin.com/2026/07/01/3528/", "content": "We are halfway through 2026, so it is time for the mid-year CVE check-in. The short version: the volume curve has gone vertical while exploitation has not. This review covers everything published in the first half of 2026 (Jan 1 &#8211; Jun 30, 2026), the volume, the severity, what is actually being exploited, and who is driving the numbers, all measured against the same elapsed window a year ago so a partial half is never compared to a full one.\n\n\n\n\nTL;DR\n\n\n\n\nThe first half of 2026 produced 35,364 CVEs, more in six months than any full year before 2024 (all of 2023 finished at 28,817).&nbsp;That works out to one new CVE every&nbsp;7.4 minutes, an increase of&nbsp;49.5%&nbsp;over the same window in 2025 (23,656). And yet only&nbsp;85 of them (0.24%)&nbsp;have made CISA&#8217;s KEV list so far, a floor that will rise as the cohort ages and exploitation is confirmed. That gap is the story of 2026 so far: we are minting CVEs faster than ever while confirmed exploitation stays rare, so the hard problem is signal-to-noise, not patch volume.\n\n\n\n\nAt this pace the year projects to roughly&nbsp;71,314 to 72,008, and the all-time catalog has now passed&nbsp;344,258 CVEs&nbsp;since 1999.\n\n\n\n\n\n\nNote: All statistics in this report exclude rejected CVEs to provide an accurate count of active vulnerabilities.\n\n\n\n\n\nKey Statistics at a Glance\n\n\n\n\n\nMetricValueTotal CVEs (H1 2026)35,364CVEs per Day195.4Change vs same window 2025+49.5%Projected Full Year71,314 &#8211; 72,008Critical Severity3,554High Severity13,821Average CVSS Score6.89CVSS Coverage94.3%CWE Coverage95.6%Active CNAs340Rejected CVEs (H1 2026)1,265Already Known-Exploited (KEV)85\n\n\n\n\n\n\n\n\n\nH1-over-H1: Three Years Side by Side\n\n\n\n\nTo keep the comparison honest while 2026 is still in progress, each year is measured over the identical window (January 1 through Jun 30).\n\n\n\n\n\nWindowCVEsPer DayAvg CVSSJan 1 &#8211; Jun 30, 202420,374112.66.65Jan 1 &#8211; Jun 30, 202523,656130.76.57Jan 1 &#8211; Jun 30, 202635,364195.46.89\n\n\n\n\n\n\n\n\n\nForecast Scorecard: Are We On Pace?\n\n\n\n\nAt&nbsp;195.4 CVEs/day, two straight-line methods land close to each other (both are simple extrapolations of the same H1 run, so this is a sanity check, not two truly independent signals): the run-rate extrapolates to&nbsp;71,314, and a seasonality-adjusted estimate (scaling the pace across the full half, then dividing by 2025&#8217;s 49% first-half share) to&nbsp;72,008.\n\n\n\n\nCVEForecast, one of my own RogoLabs tools, projects\u00a090,831 CVEs\u00a0for full-year 2026 (LinearRegression, MAPE 17.9), so I am partly arguing with my own model here. That is\u00a018,823 above\u00a0the top of the straight-line range, and here is where I will plant a flag:\u00a0I think the model is high.\u00a0Both simple extrapolations land near 72,008, and the forecast&#8217;s entire gap to them rests on a heavy second-half surge that still has to show up.\u00a0My call is the year closes nearer 72,008 than 90,831.\u00a0I will happily eat those words in the December review if H2 accelerates the way the model expects, but the burden of proof is on the surge.\n\n\n\n\n\n\n\n\n\nWhat Changed in H1 2026\n\n\n\n\nGitHub Security Advisories&nbsp;is the busiest CNA at&nbsp;6,801&nbsp;assignments. New to the most-affected product list this year:&nbsp;Chrome, OpenClaw. Among weakness types,&nbsp;CWE-862&nbsp;(Missing Authorization) climbed to #2 in the top five.\n\n\n\n\nSpotlight: OpenClaw.&nbsp;A project that barely existed a year ago, OpenClaw (Peter Steinberger&#8217;s viral local AI agent, the subject of&nbsp;Lex Fridman Podcast #491) is already one of the most-reported products of the half with&nbsp;537 CVEs. The striking part is who is doing the reporting:&nbsp;VulnCheck alone assigned 500&nbsp;of them (93%), disclosed steadily across the half rather than in a single dump. That concentration says more about researcher attention than code quality: VulnCheck, whose remit is emerging and exploited-in-the-wild threats, is exactly the kind of team that systematically covers a fast-growing new target, and concentrated third-party research on a hot AI agent is the coverage you would want. To its credit the project embraced the CVE lifecycle itself, issuing advisories through GitHub as reports came in. I track its CVEs at&nbsp;OpenClawCVEs.\n\n\n\n\n\n\n\n\n\nHistorical CVE Growth\n\n\n\n\nTo compare like with like, this chart counts only the first half of every year (January 1 through Jun 30). On that basis 2026 already stands taller than any prior first half: more CVEs in six months than the same window has ever produced.\n\n\n\n\n\n\n\n\n\nFirst-half growth has been relentless, and 2026 is&nbsp;+49.5%&nbsp;on the first half of 2025.\n\n\n\n\n\n\n\n\n\nCounting full years, the cumulative catalog has now passed&nbsp;344,258 CVEs.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nMonthly Distribution (H1 2026)\n\n\n\n\nCVE publications varied across the first half of 2026, with&nbsp;Jun&nbsp;being the peak month at&nbsp;7,454 CVEs.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nPublication Patterns by Day of Week\n\n\n\n\nPublishing clusters midweek.&nbsp;Wednesday&nbsp;is the busiest day at&nbsp;7,943 CVEs, with Tuesday close behind at&nbsp;7,216. Patch Tuesday is part of the story, but the midweek bulge owes as much to the high-volume CNAs (GitHub, Linux, the WordPress plugin crowd) that batch-publish midweek.\n\n\n\n\n\n\n\n\n\nWeekdays average&nbsp;6,517&nbsp;CVEs against just&nbsp;1,389&nbsp;on weekends.\n\n\n\n\n\n\n\n\n\nBusiest Days of H1 2026\n\n\n\n\nSome days saw massive spikes in CVE publications:\n\n\n\n\n\n\n\n\n\nTop 5 Busiest Days\n\n\n\n\n\nRankDateCVE Count12026-06-0974722026-06-1773232026-05-2771642026-03-2560652026-05-12554\n\n\n\n\n\n\n\n\n\nCVSS Score Analysis\n\n\n\n\nThe Common Vulnerability Scoring System (CVSS) helps standardize severity assessments. Here&#8217;s how H1 2026 CVEs were distributed across the scoring range.\n\n\n\n\n\n\n\n\n\nThe&nbsp;average CVSS score for H1 2026 was 6.89, with a&nbsp;median of 7.10.\n\n\n\n\nSeverity Breakdown\n\n\n\n\n\nSeverityCountPercentageCritical3,55410.0%High13,82139.1%Medium14,48541.0%Low3,0568.6%Unscored4481.3%\n\n\n\n\nPercentages are of all H1 2026 CVEs; &#8220;Unscored&#8221; are the 1.3% with no CVSS severity assigned.\n\n\n\n\n\n\n\n\n\nCVSS Trends Over Time\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nTop Weakness Types (CWE)\n\n\n\n\nThe Common Weakness Enumeration (CWE) categorizes the types of security weaknesses. Here are the most prevalent weakness types in H1 2026:\n\n\n\n\n\n\n\n\n\nTop 5 CWEs in H1 2026\n\n\n\n\n\nRankCWENameCount1CWE-79XSS3,7832CWE-862Missing Authorization1,7043CWE-89SQL Injection1,4454CWE-22Path Traversal1,2645CWE-416Use After Free1,037\n\n\n\n\n\n\n\n\n\nCVE Numbering Authorities (CNAs)\n\n\n\n\nThe leaderboard increasingly reflects where modern software and modern vulnerability research live: platform and ecosystem CNAs (GitHub, Patchstack) and dedicated research CNAs (VulnCheck, VulDB) alongside the traditional product vendors. High assignment counts are not inflation, a CNA covering the WordPress plugin ecosystem or issuing a CVE per kernel fix is doing exactly its job; the low KEV overlap below reflects how rare confirmed exploitation is across all sources, not the validity of any CNA&#8217;s records. The most active assigners this year:\n\n\n\n\n\n\n\n\n\nTop 5 CNAs in H1 2026\n\n\n\n\n\nRankCNACVEs Assigned1GitHub Security Advisories6,8012VulDB3,3193VulnCheck3,2734Patchstack2,7045Linux2,564\n\n\n\n\nIn total,&nbsp;340 unique CNAs&nbsp;assigned CVEs in H1 2026.\n\n\n\n\n\n\n\n\n\nTop Vendors\n\n\n\n\nThe vendors with the most CVEs attributed to their products this year (each links to its NVD search):\n\n\n\n\n\n\n\n\n\nTop 5 Vendors in H1 2026\n\n\n\n\n\nRankVendorCVE Count1Linux2,5642Google1,8013Microsoft8644OpenClaw5375Oracle445\n\n\n\n\n\n\n\n\n\nMost Vulnerable Products\n\n\n\n\nDrilling past vendors to specific products, the H1 2026 leaders:\n\n\n\n\n\n\n\n\n\nTop 5 Products\n\n\n\n\n\nRankProductCVE Count1Linux Kernel1,9562Chrome1,2033OpenClaw5344Windows 103725Android303\n\n\n\n\nProduct-level counts can differ slightly from the vendor totals above: a vendor&#8217;s CVEs may span several products, and a single CVE can name more than one.\n\n\n\n\n\n\n\n\n\nKnown-Exploited Vulnerabilities (CISA KEV)\n\n\n\n\nVolume is the headline, but exploitation is what should actually drive patching. Of the&nbsp;35,364&nbsp;CVEs published in H1 2026, only&nbsp;85&nbsp;(0.24%) have shown up in the&nbsp;CISA KEV catalog&nbsp;so far. Treat that as a floor, not a verdict: KEV is a US-government catalog that lags disclosure by months and records only confirmed, observed exploitation, so this share will climb as the 2026 cohort ages. Even so, the signal holds, most CVEs are not known-exploited, so exploitability (KEV plus a forward-looking score like EPSS) beats chasing raw counts.\n\n\n\n\nNote these are two different populations: the&nbsp;85&nbsp;above are H1-2026-published&nbsp;CVEs already in KEV, while CISA&nbsp;added&nbsp;146&nbsp;entries to KEV during the half (more than the&nbsp;132&nbsp;added in the same window of 2025, many of them older CVEs newly exploited), and&nbsp;17&nbsp;of those additions are tied to known ransomware campaigns.\n\n\n\n\nH1 2026 CVEs Already in KEV\n\n\n\n\nA sample (5 most recent of 85):\n\n\n\n\n\nCVEVendorProductAddedRansomwareCVE-2026-48558SimplehelpSimpleHelp2026-06-29NoCVE-2026-20230CiscoUnified Communications Manager2026-06-25NoCVE-2026-12569PtcWindchill and FlexPLM2026-06-25NoCVE-2025-67038LantronixEDS50002026-06-23NoCVE-2026-34910UbiquitiUniFi OS2026-06-23No\n\n\n\n\n\n\n\n\n\nData Quality\n\n\n\n\nNot all CVEs have complete metadata. Here&#8217;s how data quality has evolved over the years:\n\n\n\n\n\n\n\n\n\nH1 2026 Data Quality Metrics\n\n\n\n\n\nMetricCoverageCVSS Score94.3%CWE Classification95.6%CPE Identifiers59.0%\n\n\n\n\nThis is where two ideas from the&nbsp;CVE Decaf&nbsp;work I did with Jay Jacobs get practical:&nbsp;actionable data quality&nbsp;(judge a record by whether it is complete enough to act on, not by abstract completeness) and&nbsp;data provenance&nbsp;(knowing which source asserted each field). The CPE gap is the clearest case. At&nbsp;59.0% CPE coverage, nearly half of H1 2026 CVEs cannot be automatically matched to a product the day they publish, so for those records the answer to &#8220;can I act on this today?&#8221; is no, no matter how complete the rest of the entry looks. Scoring each record on its provenance (who supplied it) and on the fields that actually drive action (CPE for asset matching, KEV and EPSS for exploitability) is how you turn the raw feed into a measurable signal-to-noise ratio instead of a flat backlog.\n\n\n\n\n\n\n\n\n\nRejected CVEs\n\n\n\n\nNot all CVE IDs stay active. Some are rejected for duplicates, disputes, or invalid submissions, and the rejection rate is a useful read on the ecosystem&#8217;s quality control.\n\n\n\n\n\n\n\n\n\nH1 2026 Rejection Statistics\n\n\n\n\n\nMetricValueRejected CVEs in H1 20261,265H1 2026 Rejection Rate3.45%Total Rejected (All Time)17,648\n\n\n\n\nCVE rejections occur for several reasons:\n\n\n\n\n\n\nDuplicates: The same vulnerability assigned multiple CVE IDs\n\n\n\n\nDisputes: Vendor disagreement that the issue is a vulnerability\n\n\n\n\nInvalid: Not a security vulnerability or insufficient information\n\n\n\n\nWithdrawn: CVE withdrawn by the assigning CNA\n\n\n\n\n\n\n\n\n\n\nConclusions\n\n\n\n\nKey Takeaways from the First Half of 2026\n\n\n\n\n\n\nVolume keeps climbing: 35,364 CVEs in roughly six months, up 49.5% on the same window last year, with the full year projecting to 71,314-72,008.\n\n\n\n\nSeverity stays heavy: 17,375 CVEs (49.1%) are Critical or High.\n\n\n\n\nWeb and access-control flaws lead: XSS, Missing Authorization, SQL Injection, Path Traversal headline the CWE list. Memory-safety issues barely register in the top tier this half.\n\n\n\n\nThe CNA mix is shifting: platform teams and aggregators, not the original vendors, now top the assigner list, and the lineup reshuffled from a year ago.\n\n\n\n\nCoverage gaps persist: CVSS and CWE are well covered, but CPE sits at 59.0%, which still hampers automated matching.\n\n\n\n\nConfirmed exploitation stays rare (so far): just 85 of 35,364 H1 CVEs (0.24%) are in CISA KEV today, a floor that rises as the cohort ages. Volume is a triage problem, not a patch-everything problem.\n\n\n\n\n\nWhat this means for you\n\n\n\n\n\n\nIf you defend a network:&nbsp;do not let the raw count set your pace. Only&nbsp;0.24%&nbsp;of H1 CVEs are confirmed-exploited in KEV today, but KEV lags and is a floor, not the full risk picture. Lead with exploitability (KEV as a hard floor, EPSS with a threshold you pick), then weight by your own context: internet-facing and sensitive systems jump the queue regardless of score, and compliance SLAs (PCI, FedRAMP, and the like) still set hard clocks. Lower priority is not never, so park the rest in a managed cycle rather than ignoring it.\n\n\n\n\nIf you run a CNA:&nbsp;the leaderboard now runs through platforms, ecosystems, and research CNAs. Volume reflects scope, not padding; the differentiator that is still genuinely uneven is data quality, and the biggest gap, CPE coverage, is largely an NVD-side enrichment problem rather than a function of who assigned the CVE.\n\n\n\n\nIf you consume NVD data:&nbsp;enrichment is the bottleneck. CPE at 59.0% means nearly half of new CVEs lack a formal CPE, which complicates NVD-style automated matching (many CNAs still carry vendor/product strings), and volume only widens that gap.\n\n\n\n\n\nWhat I&#8217;m watching in H2\n\n\n\n\nMy call from the scorecard stands: 2026 closes nearer&nbsp;72,008&nbsp;than the&nbsp;90,831&nbsp;forecast. Two things would change my mind: a December disclosure surge bigger than 2025&#8217;s, or another OpenClaw-style project flooding the catalog. The year-end review settles it.\n\n\n\n\n\n\n\n\n\nMethodology and Reproducibility\n\n\n\n\nTwo primary data sources, plus two enrichment feeds:\n\n\n\n\n\n\nNVD JSON&nbsp;&#8211; National Vulnerability Database export from&nbsp;nvd.handsonhacking.org\n\n\n\n\nCVE List V5&nbsp;&#8211; Official CVE records from&nbsp;CVEProject/cvelistV5\n\n\n\n\nForecast\u00a0&#8211;\u00a0CVEForecast\u00a0full-year projection\n\n\n\n\nExploitation&nbsp;&#8211;&nbsp;CISA KEV catalog\n\n\n\n\n\nEverything here is reproducible. The full pipeline (Python, pandas, matplotlib) is on GitHub at\u00a0jgamblin/H12026CVEBlog, and it leans on the free CVE tooling I build at\u00a0RogoLabs:\u00a0cve.icu,\u00a0cnascorecard.org, and\u00a0cveforecast.org.\n\n\n\n\nData collected and analyzed on July 01, 2026.", "creation_timestamp": "2026-07-01T19:00:55.919945Z"}, {"uuid": "4b23860d-776a-42ea-8fda-280ffc01ef54", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-67038", "type": "seen", "source": "https://www.jerrygamblin.com/2026/07/01/3528/", "content": "We are halfway through 2026, so it is time for the mid-year CVE check-in. The short version: the volume curve has gone vertical while exploitation has not. This review covers everything published in the first half of 2026 (Jan 1 &#8211; Jun 30, 2026), the volume, the severity, what is actually being exploited, and who is driving the numbers, all measured against the same elapsed window a year ago so a partial half is never compared to a full one.\n\n\n\n\nTL;DR\n\n\n\n\nThe first half of 2026 produced 35,364 CVEs, more in six months than any full year before 2024 (all of 2023 finished at 28,817).&nbsp;That works out to one new CVE every&nbsp;7.4 minutes, an increase of&nbsp;49.5%&nbsp;over the same window in 2025 (23,656). And yet only&nbsp;85 of them (0.24%)&nbsp;have made CISA&#8217;s KEV list so far, a floor that will rise as the cohort ages and exploitation is confirmed. That gap is the story of 2026 so far: we are minting CVEs faster than ever while confirmed exploitation stays rare, so the hard problem is signal-to-noise, not patch volume.\n\n\n\n\nAt this pace the year projects to roughly&nbsp;71,314 to 72,008, and the all-time catalog has now passed&nbsp;344,258 CVEs&nbsp;since 1999.\n\n\n\n\n\n\nNote: All statistics in this report exclude rejected CVEs to provide an accurate count of active vulnerabilities.\n\n\n\n\n\nKey Statistics at a Glance\n\n\n\n\n\nMetricValueTotal CVEs (H1 2026)35,364CVEs per Day195.4Change vs same window 2025+49.5%Projected Full Year71,314 &#8211; 72,008Critical Severity3,554High Severity13,821Average CVSS Score6.89CVSS Coverage94.3%CWE Coverage95.6%Active CNAs340Rejected CVEs (H1 2026)1,265Already Known-Exploited (KEV)85\n\n\n\n\n\n\n\n\n\nH1-over-H1: Three Years Side by Side\n\n\n\n\nTo keep the comparison honest while 2026 is still in progress, each year is measured over the identical window (January 1 through Jun 30).\n\n\n\n\n\nWindowCVEsPer DayAvg CVSSJan 1 &#8211; Jun 30, 202420,374112.66.65Jan 1 &#8211; Jun 30, 202523,656130.76.57Jan 1 &#8211; Jun 30, 202635,364195.46.89\n\n\n\n\n\n\n\n\n\nForecast Scorecard: Are We On Pace?\n\n\n\n\nAt&nbsp;195.4 CVEs/day, two straight-line methods land close to each other (both are simple extrapolations of the same H1 run, so this is a sanity check, not two truly independent signals): the run-rate extrapolates to&nbsp;71,314, and a seasonality-adjusted estimate (scaling the pace across the full half, then dividing by 2025&#8217;s 49% first-half share) to&nbsp;72,008.\n\n\n\n\nCVEForecast, one of my own RogoLabs tools, projects\u00a090,831 CVEs\u00a0for full-year 2026 (LinearRegression, MAPE 17.9), so I am partly arguing with my own model here. That is\u00a018,823 above\u00a0the top of the straight-line range, and here is where I will plant a flag:\u00a0I think the model is high.\u00a0Both simple extrapolations land near 72,008, and the forecast&#8217;s entire gap to them rests on a heavy second-half surge that still has to show up.\u00a0My call is the year closes nearer 72,008 than 90,831.\u00a0I will happily eat those words in the December review if H2 accelerates the way the model expects, but the burden of proof is on the surge.\n\n\n\n\n\n\n\n\n\nWhat Changed in H1 2026\n\n\n\n\nGitHub Security Advisories&nbsp;is the busiest CNA at&nbsp;6,801&nbsp;assignments. New to the most-affected product list this year:&nbsp;Chrome, OpenClaw. Among weakness types,&nbsp;CWE-862&nbsp;(Missing Authorization) climbed to #2 in the top five.\n\n\n\n\nSpotlight: OpenClaw.&nbsp;A project that barely existed a year ago, OpenClaw (Peter Steinberger&#8217;s viral local AI agent, the subject of&nbsp;Lex Fridman Podcast #491) is already one of the most-reported products of the half with&nbsp;537 CVEs. The striking part is who is doing the reporting:&nbsp;VulnCheck alone assigned 500&nbsp;of them (93%), disclosed steadily across the half rather than in a single dump. That concentration says more about researcher attention than code quality: VulnCheck, whose remit is emerging and exploited-in-the-wild threats, is exactly the kind of team that systematically covers a fast-growing new target, and concentrated third-party research on a hot AI agent is the coverage you would want. To its credit the project embraced the CVE lifecycle itself, issuing advisories through GitHub as reports came in. I track its CVEs at&nbsp;OpenClawCVEs.\n\n\n\n\n\n\n\n\n\nHistorical CVE Growth\n\n\n\n\nTo compare like with like, this chart counts only the first half of every year (January 1 through Jun 30). On that basis 2026 already stands taller than any prior first half: more CVEs in six months than the same window has ever produced.\n\n\n\n\n\n\n\n\n\nFirst-half growth has been relentless, and 2026 is&nbsp;+49.5%&nbsp;on the first half of 2025.\n\n\n\n\n\n\n\n\n\nCounting full years, the cumulative catalog has now passed&nbsp;344,258 CVEs.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nMonthly Distribution (H1 2026)\n\n\n\n\nCVE publications varied across the first half of 2026, with&nbsp;Jun&nbsp;being the peak month at&nbsp;7,454 CVEs.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nPublication Patterns by Day of Week\n\n\n\n\nPublishing clusters midweek.&nbsp;Wednesday&nbsp;is the busiest day at&nbsp;7,943 CVEs, with Tuesday close behind at&nbsp;7,216. Patch Tuesday is part of the story, but the midweek bulge owes as much to the high-volume CNAs (GitHub, Linux, the WordPress plugin crowd) that batch-publish midweek.\n\n\n\n\n\n\n\n\n\nWeekdays average&nbsp;6,517&nbsp;CVEs against just&nbsp;1,389&nbsp;on weekends.\n\n\n\n\n\n\n\n\n\nBusiest Days of H1 2026\n\n\n\n\nSome days saw massive spikes in CVE publications:\n\n\n\n\n\n\n\n\n\nTop 5 Busiest Days\n\n\n\n\n\nRankDateCVE Count12026-06-0974722026-06-1773232026-05-2771642026-03-2560652026-05-12554\n\n\n\n\n\n\n\n\n\nCVSS Score Analysis\n\n\n\n\nThe Common Vulnerability Scoring System (CVSS) helps standardize severity assessments. Here&#8217;s how H1 2026 CVEs were distributed across the scoring range.\n\n\n\n\n\n\n\n\n\nThe&nbsp;average CVSS score for H1 2026 was 6.89, with a&nbsp;median of 7.10.\n\n\n\n\nSeverity Breakdown\n\n\n\n\n\nSeverityCountPercentageCritical3,55410.0%High13,82139.1%Medium14,48541.0%Low3,0568.6%Unscored4481.3%\n\n\n\n\nPercentages are of all H1 2026 CVEs; &#8220;Unscored&#8221; are the 1.3% with no CVSS severity assigned.\n\n\n\n\n\n\n\n\n\nCVSS Trends Over Time\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nTop Weakness Types (CWE)\n\n\n\n\nThe Common Weakness Enumeration (CWE) categorizes the types of security weaknesses. Here are the most prevalent weakness types in H1 2026:\n\n\n\n\n\n\n\n\n\nTop 5 CWEs in H1 2026\n\n\n\n\n\nRankCWENameCount1CWE-79XSS3,7832CWE-862Missing Authorization1,7043CWE-89SQL Injection1,4454CWE-22Path Traversal1,2645CWE-416Use After Free1,037\n\n\n\n\n\n\n\n\n\nCVE Numbering Authorities (CNAs)\n\n\n\n\nThe leaderboard increasingly reflects where modern software and modern vulnerability research live: platform and ecosystem CNAs (GitHub, Patchstack) and dedicated research CNAs (VulnCheck, VulDB) alongside the traditional product vendors. High assignment counts are not inflation, a CNA covering the WordPress plugin ecosystem or issuing a CVE per kernel fix is doing exactly its job; the low KEV overlap below reflects how rare confirmed exploitation is across all sources, not the validity of any CNA&#8217;s records. The most active assigners this year:\n\n\n\n\n\n\n\n\n\nTop 5 CNAs in H1 2026\n\n\n\n\n\nRankCNACVEs Assigned1GitHub Security Advisories6,8012VulDB3,3193VulnCheck3,2734Patchstack2,7045Linux2,564\n\n\n\n\nIn total,&nbsp;340 unique CNAs&nbsp;assigned CVEs in H1 2026.\n\n\n\n\n\n\n\n\n\nTop Vendors\n\n\n\n\nThe vendors with the most CVEs attributed to their products this year (each links to its NVD search):\n\n\n\n\n\n\n\n\n\nTop 5 Vendors in H1 2026\n\n\n\n\n\nRankVendorCVE Count1Linux2,5642Google1,8013Microsoft8644OpenClaw5375Oracle445\n\n\n\n\n\n\n\n\n\nMost Vulnerable Products\n\n\n\n\nDrilling past vendors to specific products, the H1 2026 leaders:\n\n\n\n\n\n\n\n\n\nTop 5 Products\n\n\n\n\n\nRankProductCVE Count1Linux Kernel1,9562Chrome1,2033OpenClaw5344Windows 103725Android303\n\n\n\n\nProduct-level counts can differ slightly from the vendor totals above: a vendor&#8217;s CVEs may span several products, and a single CVE can name more than one.\n\n\n\n\n\n\n\n\n\nKnown-Exploited Vulnerabilities (CISA KEV)\n\n\n\n\nVolume is the headline, but exploitation is what should actually drive patching. Of the&nbsp;35,364&nbsp;CVEs published in H1 2026, only&nbsp;85&nbsp;(0.24%) have shown up in the&nbsp;CISA KEV catalog&nbsp;so far. Treat that as a floor, not a verdict: KEV is a US-government catalog that lags disclosure by months and records only confirmed, observed exploitation, so this share will climb as the 2026 cohort ages. Even so, the signal holds, most CVEs are not known-exploited, so exploitability (KEV plus a forward-looking score like EPSS) beats chasing raw counts.\n\n\n\n\nNote these are two different populations: the&nbsp;85&nbsp;above are H1-2026-published&nbsp;CVEs already in KEV, while CISA&nbsp;added&nbsp;146&nbsp;entries to KEV during the half (more than the&nbsp;132&nbsp;added in the same window of 2025, many of them older CVEs newly exploited), and&nbsp;17&nbsp;of those additions are tied to known ransomware campaigns.\n\n\n\n\nH1 2026 CVEs Already in KEV\n\n\n\n\nA sample (5 most recent of 85):\n\n\n\n\n\nCVEVendorProductAddedRansomwareCVE-2026-48558SimplehelpSimpleHelp2026-06-29NoCVE-2026-20230CiscoUnified Communications Manager2026-06-25NoCVE-2026-12569PtcWindchill and FlexPLM2026-06-25NoCVE-2025-67038LantronixEDS50002026-06-23NoCVE-2026-34910UbiquitiUniFi OS2026-06-23No\n\n\n\n\n\n\n\n\n\nData Quality\n\n\n\n\nNot all CVEs have complete metadata. Here&#8217;s how data quality has evolved over the years:\n\n\n\n\n\n\n\n\n\nH1 2026 Data Quality Metrics\n\n\n\n\n\nMetricCoverageCVSS Score94.3%CWE Classification95.6%CPE Identifiers59.0%\n\n\n\n\nThis is where two ideas from the&nbsp;CVE Decaf&nbsp;work I did with Jay Jacobs get practical:&nbsp;actionable data quality&nbsp;(judge a record by whether it is complete enough to act on, not by abstract completeness) and&nbsp;data provenance&nbsp;(knowing which source asserted each field). The CPE gap is the clearest case. At&nbsp;59.0% CPE coverage, nearly half of H1 2026 CVEs cannot be automatically matched to a product the day they publish, so for those records the answer to &#8220;can I act on this today?&#8221; is no, no matter how complete the rest of the entry looks. Scoring each record on its provenance (who supplied it) and on the fields that actually drive action (CPE for asset matching, KEV and EPSS for exploitability) is how you turn the raw feed into a measurable signal-to-noise ratio instead of a flat backlog.\n\n\n\n\n\n\n\n\n\nRejected CVEs\n\n\n\n\nNot all CVE IDs stay active. Some are rejected for duplicates, disputes, or invalid submissions, and the rejection rate is a useful read on the ecosystem&#8217;s quality control.\n\n\n\n\n\n\n\n\n\nH1 2026 Rejection Statistics\n\n\n\n\n\nMetricValueRejected CVEs in H1 20261,265H1 2026 Rejection Rate3.45%Total Rejected (All Time)17,648\n\n\n\n\nCVE rejections occur for several reasons:\n\n\n\n\n\n\nDuplicates: The same vulnerability assigned multiple CVE IDs\n\n\n\n\nDisputes: Vendor disagreement that the issue is a vulnerability\n\n\n\n\nInvalid: Not a security vulnerability or insufficient information\n\n\n\n\nWithdrawn: CVE withdrawn by the assigning CNA\n\n\n\n\n\n\n\n\n\n\nConclusions\n\n\n\n\nKey Takeaways from the First Half of 2026\n\n\n\n\n\n\nVolume keeps climbing: 35,364 CVEs in roughly six months, up 49.5% on the same window last year, with the full year projecting to 71,314-72,008.\n\n\n\n\nSeverity stays heavy: 17,375 CVEs (49.1%) are Critical or High.\n\n\n\n\nWeb and access-control flaws lead: XSS, Missing Authorization, SQL Injection, Path Traversal headline the CWE list. Memory-safety issues barely register in the top tier this half.\n\n\n\n\nThe CNA mix is shifting: platform teams and aggregators, not the original vendors, now top the assigner list, and the lineup reshuffled from a year ago.\n\n\n\n\nCoverage gaps persist: CVSS and CWE are well covered, but CPE sits at 59.0%, which still hampers automated matching.\n\n\n\n\nConfirmed exploitation stays rare (so far): just 85 of 35,364 H1 CVEs (0.24%) are in CISA KEV today, a floor that rises as the cohort ages. Volume is a triage problem, not a patch-everything problem.\n\n\n\n\n\nWhat this means for you\n\n\n\n\n\n\nIf you defend a network:&nbsp;do not let the raw count set your pace. Only&nbsp;0.24%&nbsp;of H1 CVEs are confirmed-exploited in KEV today, but KEV lags and is a floor, not the full risk picture. Lead with exploitability (KEV as a hard floor, EPSS with a threshold you pick), then weight by your own context: internet-facing and sensitive systems jump the queue regardless of score, and compliance SLAs (PCI, FedRAMP, and the like) still set hard clocks. Lower priority is not never, so park the rest in a managed cycle rather than ignoring it.\n\n\n\n\nIf you run a CNA:&nbsp;the leaderboard now runs through platforms, ecosystems, and research CNAs. Volume reflects scope, not padding; the differentiator that is still genuinely uneven is data quality, and the biggest gap, CPE coverage, is largely an NVD-side enrichment problem rather than a function of who assigned the CVE.\n\n\n\n\nIf you consume NVD data:&nbsp;enrichment is the bottleneck. CPE at 59.0% means nearly half of new CVEs lack a formal CPE, which complicates NVD-style automated matching (many CNAs still carry vendor/product strings), and volume only widens that gap.\n\n\n\n\n\nWhat I&#8217;m watching in H2\n\n\n\n\nMy call from the scorecard stands: 2026 closes nearer&nbsp;72,008&nbsp;than the&nbsp;90,831&nbsp;forecast. Two things would change my mind: a December disclosure surge bigger than 2025&#8217;s, or another OpenClaw-style project flooding the catalog. The year-end review settles it.\n\n\n\n\n\n\n\n\n\nMethodology and Reproducibility\n\n\n\n\nTwo primary data sources, plus two enrichment feeds:\n\n\n\n\n\n\nNVD JSON&nbsp;&#8211; National Vulnerability Database export from&nbsp;nvd.handsonhacking.org\n\n\n\n\nCVE List V5&nbsp;&#8211; Official CVE records from&nbsp;CVEProject/cvelistV5\n\n\n\n\nForecast\u00a0&#8211;\u00a0CVEForecast\u00a0full-year projection\n\n\n\n\nExploitation&nbsp;&#8211;&nbsp;CISA KEV catalog\n\n\n\n\n\nEverything here is reproducible. The full pipeline (Python, pandas, matplotlib) is on GitHub at\u00a0jgamblin/H12026CVEBlog, and it leans on the free CVE tooling I build at\u00a0RogoLabs:\u00a0cve.icu,\u00a0cnascorecard.org, and\u00a0cveforecast.org.\n\n\n\n\nData collected and analyzed on July 01, 2026.", "creation_timestamp": "2026-07-02T01:00:45.450594Z"}]}