month report
October 2025
Data as of Jun 11, 2026, 06:05 UTCSnapshot v1 Sources CVEList V5+NVD+GHSA+CSAF+FSTEC BDU+CISA KEV+EPSS+Nuclei templates Methodology →
October 2025 closed with 4,544 published CVEs. 288 criticals, 31 added to CISA KEV (2 ransomware-linked). linux led volume, mostly via linux. Top weakness class — CWE-79 (721 CVE). 10 vendors cracked the top-100 for the first time.
Total CVEs
4,544
— MoM— YoY
Severity mix
288 / 1,462
critical / high
KEV added
31
2 ransomware-linked
Nuclei coverage
15.8%
717 CVEs with templates
Time to exploit
How fast the community ships detection after a CVE drops.
Days → Nuclei (median)
135.3
n=717
Within 7 days
0.0%
Within 30 days
0.0%
Days → KEV (median)
8
n=9
Detection gap
KEV pressure, no Nuclei coverage
October 2025 · vendors with active exploitation listed by CISA but no public detection template.
- KEV 1f544 CVE
Weakness × Vendor
What's spreading where in October 2025
Cells shaded by share of vendor's hottest weakness. Click any cell to open the CWE history.
79XSS89SQL Injection862Missing Authorization74Injection476NULL Pointer Dereference284CWE-284416Use After Free121CWE-121200Information Exposure94Code Injectionlinux7642сообщество свободного программного обеспечения51633511red hat inc.3323111canonical ltd.2013ооо «русбитех-астра»1111111microsoft1211550114microsoft corp111250114ооо «ред софт»11104514ао «сбертех»136maven24310nagios516311oracle2218
Most discussed CVEs — October 2025
No CVE mentions in the news this month yet.
First time in top-100
Vendors never in top-100 in the prior 24 periods.
- #9nagios99 CVE
- #25andsoft40 CVE
- #32azure-access34 CVE
- #33azure access technology34 CVE
- #36ооо "вебсофт девелопмент"33 CVE
- #38the wikimedia foundation30 CVE
- #45eclipse23 CVE
- #46eclipse foundation23 CVE
- #59ipfire.org18 CVE
- #60tomofun18 CVE
Top vendors
Ranked by distinct CVE count this period.
- 651 CVE1 critCVSS 6.0PoC 3linux (651) · linux kernel (450)
- 541 CVE6 critCVSS 6.1Nuclei 1PoC 15linux (482) · debian gnu/linux (308) · freescout (22)
- 337 CVECVSS 6.3Nuclei 1PoC 12red hat enterprise linux (322) · red hat enterprise linux 9 (10) · red hat enterprise linux 10 (10)
- 201 CVECVSS 6.1PoC 8ubuntu (193) · lxd (8)
- 190 CVE8 critCVSS 6.4Nuclei 1PoC 24astra linux special edition (190) · astra linux common edition (12)
- 183 CVE11 critCVSS 7.0KEV 3Nuclei 1PoC 3windows server 2025 (127) · windows server 2025 (server core installation) (127) · windows 11 24h2 (121)
- 103 CVE5 critCVSS 6.3Nuclei 2PoC 5com.liferay.portal:release.portal.bom (12) · com.liferay.portal:com.liferay.portal.impl (5) · com.liferay:com.liferay.change.tracking.web (4)
- 100 CVE7 critCVSS 6.7Nuclei 2PoC 26ред ос (100)
- 99 CVE9 critCVSS 6.7NEWPoC 4nagios xi (74) · xi (74) · log server (15)
- 78 CVE5 critCVSS 6.1KEV 3Nuclei 3PoC 3mysql server (9) · oracle vm virtualbox (9) · zfs storage appliance kit (9)
- 78 CVE1 critCVSS 6.0PoC 7platform v sberlinux os server (78)
- 76 CVE1 critCVSS 6.0PoC 76simple food ordering system (11) · e-commerce website (10) · client details system (7)
- 73 CVE10 critCVSS 6.9PoC 2nagios xi (50) · nagios log server (15) · nagios fusion (5)
- 70 CVE10 critCVSS 7.0PoC 9keras (4) · bbot (4) · fastmcp (3)
- 64 CVE1 critCVSS 6.2Nuclei 1PoC 13moodle/moodle (7) · bagisto/bagisto (6) · magento/project-community-edition (5)
- 64 CVE5 critCVSS 6.5Nuclei 1PoC 7альт сп 10 (61) · альт 8 сп (19) · ивк кольчуга-к (лкнв.466217.002) (1)
- 63 CVE1 critCVSS 5.9PoC 63simple food ordering system (11) · e-commerce website (10) · client details system (8)
- 60 CVE4 critCVSS 6.9PoC 8github.com/mattermost/mattermost/server/v8 (6) · github.com/canonical/lxd (6) · github.com/mattermost/mattermost-server (6)
- 55 CVE4 critCVSS 7.3Nuclei 1PoC 9flowise (11) · @strapi/core (3) · @anthropic-ai/claude-code (2)
- 55 CVE2 critCVSS 8.5PoC 46ch22 firmware (13) · ch22 (13) · ac18 firmware (9)
- 45 CVE4 critCVSS 7.4PoC 37dir-600l firmware (24) · dir-600l (24) · nuclias connect (4)
- 45 CVE2 critCVSS 8.4PoC 36tenda ch22 (13) · tenda ac18 (9) · ac6 (8)
- 44 CVECVSS 7.1KEV 1big-ip (34) · big-ip application security manager (24) · big-ip advanced web application firewall (23)
- 44 CVECVSS 5.7quts hero (26) · qts (26) · qsync central (15)
- 40 CVE9 critCVSS 7.0NEWe-tms (40)
- 40 CVE3 critCVSS 6.5transformation extender advanced (5) · db2 high performance unload (4) · engineering requirements management doors next (4)
- 40 CVE1 critCVSS 6.4PoC 40junos space (26) · junos os evolved (7) · junos (7)
- 40 CVE1 critCVSS 6.6PoC 40junos space (26) · junos os (8) · junos os evolved (7)
- 40 CVECVSS 5.6PoC 2digital experience platform (40) · dxp (40) · liferay portal (39)
- 38 CVECVSS 6.4PoC 38hotel and lodge management system (15) · best salon management system (4) · point of sales (3)
- 36 CVE1 critCVSS 7.2commerce (5) · adobe commerce (5) · commerce b2b (5)
- 34 CVE20 critCVSS 8.4NEWblu-ic2 firmware (34) · blu-ic4 firmware (34)
- 34 CVE20 critCVSS 8.4NEWblu-ic4 (34) · blu-ic2 (34)
- 34 CVE1 critCVSS 6.0data domain operating system (20) · powerprotect data domain with data domain operating system (dd os) lts2024 (18) · powerprotect data domain with data domain operating system (dd os) of feature release (18)
- 33 CVE5 critCVSS 7.6Nuclei 4PoC 12осон основа оnyx (33)
- 33 CVE9 critCVSS 6.7NEWwebsoft hcm (33)
- 32 CVECVSS 5.7fortios (16) · fortiproxy (13) · fortipam (6)
- 30 CVENEWmediawiki - growthexperiments extension (2) · mediawiki - imagerating extension (1) · mediawiki - languageselector extension (1)
- 28 CVECVSS 6.4android (11) · notes (6) · exynos w930 firmware (4)
- 26 CVECVSS 6.0fortios (13) · fortiproxy (10) · fortidlp (4)
- 26 CVECVSS 5.2samsung mobile devices (12) · samsung notes (6) · smart switch (4)
- 24 CVECVSS 5.1aion (7) · unica (5) · bigfix modern client management (4)
- 24 CVE2 critCVSS 8.2PoC 15lr350 firmware (7) · lr350 (7) · a3300r firmware (6)
- 24 CVE3 critCVSS 6.2Nuclei 24PoC 15ns maintenance mode for wp (2) · wp private content plus (1) · admin and customer messages after order for woocommerce: orderconvo (1)
- 23 CVE4 critCVSS 6.8NEWPoC 4threadx netx duo (12) · threadx usbx (5) · threadx (3)
- 23 CVE4 critCVSS 6.8NEWPoC 4netx duo (11) · usbx (4) · threadx (3)
- 23 CVE3 critCVSS 6.7transformation extender advanced (5) · ibm db2 high performance unload (4) · ibm security verify access (3)
- 21 CVECVSS 5.4harmonyos (21)
- 20 CVE3 critCVSS 7.2PoC 1tomcat (3) · airflow (3) · kylin (3)
- 20 CVE3 critCVSS 7.3PoC 1apache kylin (3) · tomcat (3) · apache airflow (3)
| # | Vendor | CVEs | Crit | KEV | Nuclei | Signals | Top products | Δ | |
|---|---|---|---|---|---|---|---|---|---|
| 1 | linux | 651 | 1 | · | · | PoC 3 | linux (651) · linux kernel (450) | — | |
| 2 | сообщество свободного программного обеспечения | 541 | 6 | · | 1 | Nuclei 1PoC 15 | linux (482) · debian gnu/linux (308) · freescout (22) | — | |
| 3 | redhat | 337 | · | · | 1 | Nuclei 1PoC 12 | red hat enterprise linux (322) · red hat enterprise linux 9 (10) · red hat enterprise linux 10 (10) | — | |
| 4 | canonical | 201 | · | · | · | PoC 8 | ubuntu (193) · lxd (8) | — | |
| 5 | ооо «русбитех-астра» | 190 | 8 | · | 1 | Nuclei 1PoC 24 | astra linux special edition (190) · astra linux common edition (12) | — | |
| 6 | microsoft | 183 | 11 | 3 | 1 | KEV 3Nuclei 1PoC 3 | windows server 2025 (127) · windows server 2025 (server core installation) (127) · windows 11 24h2 (121) | — | |
| 7 | maven | 103 | 5 | · | 2 | Nuclei 2PoC 5 | com.liferay.portal:release.portal.bom (12) · com.liferay.portal:com.liferay.portal.impl (5) · com.liferay:com.liferay.change.tracking.web (4) | — | |
| 8 | ооо «ред софт» | 100 | 7 | · | 2 | Nuclei 2PoC 26 | ред ос (100) | — | |
| 9 | nagios | 99 | 9 | · | · | NEWPoC 4 | nagios xi (74) · xi (74) · log server (15) | — | |
| 10 | oracle | 78 | 5 | 3 | 3 | KEV 3Nuclei 3PoC 3 | mysql server (9) · oracle vm virtualbox (9) · zfs storage appliance kit (9) | — | |
| 11 | ао «сбертех» | 78 | 1 | · | · | PoC 7 | platform v sberlinux os server (78) | — | |
| 12 | code-projects | 76 | 1 | · | · | PoC 76 | simple food ordering system (11) · e-commerce website (10) · client details system (7) | — | |
| 13 | nagios enterprises llc | 73 | 10 | · | · | PoC 2 | nagios xi (50) · nagios log server (15) · nagios fusion (5) | — | |
| 14 | pypi | 70 | 10 | · | · | PoC 9 | keras (4) · bbot (4) · fastmcp (3) | — | |
| 15 | packagist | 64 | 1 | · | 1 | Nuclei 1PoC 13 | moodle/moodle (7) · bagisto/bagisto (6) · magento/project-community-edition (5) | — | |
| 16 | ао «ивк» | 64 | 5 | · | 1 | Nuclei 1PoC 7 | альт сп 10 (61) · альт 8 сп (19) · ивк кольчуга-к (лкнв.466217.002) (1) | — | |
| 17 | fabian | 63 | 1 | · | · | PoC 63 | simple food ordering system (11) · e-commerce website (10) · client details system (8) | — | |
| 18 | go | 60 | 4 | · | · | PoC 8 | github.com/mattermost/mattermost/server/v8 (6) · github.com/canonical/lxd (6) · github.com/mattermost/mattermost-server (6) | — | |
| 19 | npm | 55 | 4 | · | 1 | Nuclei 1PoC 9 | flowise (11) · @strapi/core (3) · @anthropic-ai/claude-code (2) | — | |
| 20 | tenda | 55 | 2 | · | · | PoC 46 | ch22 firmware (13) · ch22 (13) · ac18 firmware (9) | — | |
| 21 | dlink | 45 | 4 | · | · | PoC 37 | dir-600l firmware (24) · dir-600l (24) · nuclias connect (4) | — | |
| 22 | shenzhen tenda technology co., ltd. | 45 | 2 | · | · | PoC 36 | tenda ch22 (13) · tenda ac18 (9) · ac6 (8) | — | |
| 23 | f5 | 44 | · | 1 | · | KEV 1 | big-ip (34) · big-ip application security manager (24) · big-ip advanced web application firewall (23) | — | |
| 24 | qnap | 44 | · | · | · | quts hero (26) · qts (26) · qsync central (15) | — | ||
| 25 | andsoft | 40 | 9 | · | · | NEW | e-tms (40) | — | |
| 26 | ibm | 40 | 3 | · | · | transformation extender advanced (5) · db2 high performance unload (4) · engineering requirements management doors next (4) | — | ||
| 27 | juniper | 40 | 1 | · | · | PoC 40 | junos space (26) · junos os evolved (7) · junos (7) | — | |
| 28 | juniper networks | 40 | 1 | · | · | PoC 40 | junos space (26) · junos os (8) · junos os evolved (7) | — | |
| 29 | liferay | 40 | · | · | · | PoC 2 | digital experience platform (40) · dxp (40) · liferay portal (39) | — | |
| 30 | sourcecodester | 38 | · | · | · | PoC 38 | hotel and lodge management system (15) · best salon management system (4) · point of sales (3) | — | |
| 31 | adobe | 36 | 1 | · | · | commerce (5) · adobe commerce (5) · commerce b2b (5) | — | ||
| 32 | azure-access | 34 | 20 | · | · | NEW | blu-ic2 firmware (34) · blu-ic4 firmware (34) | — | |
| 33 | azure access technology | 34 | 20 | · | · | NEW | blu-ic4 (34) · blu-ic2 (34) | — | |
| 34 | dell | 34 | 1 | · | · | data domain operating system (20) · powerprotect data domain with data domain operating system (dd os) lts2024 (18) · powerprotect data domain with data domain operating system (dd os) of feature release (18) | — | ||
| 35 | ао "нппкт" | 33 | 5 | · | 4 | Nuclei 4PoC 12 | осон основа оnyx (33) | — | |
| 36 | ооо "вебсофт девелопмент" | 33 | 9 | · | · | NEW | websoft hcm (33) | — | |
| 37 | fortinet | 32 | · | · | · | fortios (16) · fortiproxy (13) · fortipam (6) | — | ||
| 38 | the wikimedia foundation | 30 | · | · | · | NEW | mediawiki - growthexperiments extension (2) · mediawiki - imagerating extension (1) · mediawiki - languageselector extension (1) | — | |
| 39 | samsung | 28 | · | · | · | android (11) · notes (6) · exynos w930 firmware (4) | — | ||
| 40 | fortinet inc. | 26 | · | · | · | fortios (13) · fortiproxy (10) · fortidlp (4) | — | ||
| 41 | samsung mobile | 26 | · | · | · | samsung mobile devices (12) · samsung notes (6) · smart switch (4) | — | ||
| 42 | hcltech | 24 | · | · | · | aion (7) · unica (5) · bigfix modern client management (4) | — | ||
| 43 | totolink | 24 | 2 | · | · | PoC 15 | lr350 firmware (7) · lr350 (7) · a3300r firmware (6) | — | |
| 44 | unknown | 24 | 3 | · | 24 | Nuclei 24PoC 15 | ns maintenance mode for wp (2) · wp private content plus (1) · admin and customer messages after order for woocommerce: orderconvo (1) | — | |
| 45 | eclipse | 23 | 4 | · | · | NEWPoC 4 | threadx netx duo (12) · threadx usbx (5) · threadx (3) | — | |
| 46 | eclipse foundation | 23 | 4 | · | · | NEWPoC 4 | netx duo (11) · usbx (4) · threadx (3) | — | |
| 47 | ibm corp. | 23 | 3 | · | · | transformation extender advanced (5) · ibm db2 high performance unload (4) · ibm security verify access (3) | — | ||
| 48 | huawei | 21 | · | · | · | harmonyos (21) | — | ||
| 49 | apache | 20 | 3 | · | · | PoC 1 | tomcat (3) · airflow (3) · kylin (3) | — | |
| 50 | apache software foundation | 20 | 3 | · | · | PoC 1 | apache kylin (3) · tomcat (3) · apache airflow (3) | — |
Sectors
Solution categories ranked by distinct CVE count this period.
- Operating Systems1,116 CVE137 crit152 KEV29 vendorsCVSS 7.0linux (1133) · linux kernel (450) · red hat enterprise linux (322)
- Web & CMS Plugins939 CVE63 crit440 vendorsCVSS 7.1digital experience platform (40) · dxp (40) · liferay portal (39)
- Enterprise Software691 CVE103 crit1 KEV151 vendorsCVSS 7.2nagios xi (124) · xi (74) · e-tms (40)
- OSS Libraries543 CVE59 crit93 vendorsCVSS 7.2quickjs (14) · ffmpeg (13) · netx duo (11)
- Networking Infrastructure330 CVE127 crit61 vendorsCVSS 8.0junos space (53) · dir-600l (24) · dir-600l firmware (24)
- Security Products235 CVE96 crit23 KEV58 vendorsCVSS 8.8blu-ic2 (34) · blu-ic2 firmware (34) · blu-ic4 (34)
- ICS / OT / IoT204 CVE54 crit1 KEV59 vendorsCVSS 7.3monitouch v-sft (9) · productivity 1000 p1-540 cpu (9) · productivity 1000 p1-550 cpu (9)
- Hardware Firmware187 CVE27 vendorsCVSS 7.5qts (52) · quts hero (50) · qsync central (34)
- Databases127 CVE25 crit10 KEV17 vendorsCVSS 7.6mysql server (27) · vm virtualbox (18) · peoplesoft enterprise peopletools (16)
- Consumer Software104 CVE32 crit29 vendorsCVSS 8.3substance 3d stager (10) · dimension (8) · gimp (7)
- DevTools & CI88 CVE11 crit25 vendorsCVSS 7.7threadx netx duo (12) · threadx usbx (5) · radare2 (4)
- Cloud & SaaS78 CVE64 crit5 KEV47 vendorsCVSS 7.9learnhouse (4) · whale (3) · n8n (2)
- Mobile Apps73 CVE1 crit7 vendorsCVSS 6.2harmonyos (21) · android (14) · android studio (10)
- AI / ML57 CVE11 crit42 vendorsCVSS 9.8cursor (6) · flowise (6) · agentflow (2)
- Communications54 CVE31 vendorsCVSS 5.8mattermost (12) · mastodon (8) · mattermost server (6)
- Unclassified302 CVE26 crit182 vendorsCVSS 6.6sonoma d12 firmware (12) · data leakage prevention system (10) · data leakage prevention system 天锐数据泄露防护系统 (10)
| Sector | CVEs | Crit | KEV | Vendors | Products | Avg CVSS | Top products |
|---|---|---|---|---|---|---|---|
| Operating Systems▸ 4 | 1,116 | 137 | 152 | 29 | 302 | 7.0 | linux (1133) · linux kernel (450) · red hat enterprise linux (322) |
| Web & CMS Plugins▸ 6 | 939 | 63 | · | 440 | 650 | 7.1 | digital experience platform (40) · dxp (40) · liferay portal (39) |
| Enterprise Software▸ 7 | 691 | 103 | 1 | 151 | 314 | 7.2 | nagios xi (124) · xi (74) · e-tms (40) |
| OSS Libraries▸ 11 | 543 | 59 | · | 93 | 409 | 7.2 | quickjs (14) · ffmpeg (13) · netx duo (11) |
| Networking Infrastructure▸ 6 | 330 | 127 | · | 61 | 265 | 8.0 | junos space (53) · dir-600l (24) · dir-600l firmware (24) |
| Security Products▸ 6 | 235 | 96 | 23 | 58 | 140 | 8.8 | blu-ic2 (34) · blu-ic2 firmware (34) · blu-ic4 (34) |
| ICS / OT / IoT▸ 6 | 204 | 54 | 1 | 59 | 346 | 7.3 | monitouch v-sft (9) · productivity 1000 p1-540 cpu (9) · productivity 1000 p1-550 cpu (9) |
| Hardware Firmware▸ 5 | 187 | · | · | 27 | 561 | 7.5 | qts (52) · quts hero (50) · qsync central (34) |
| Databases▸ 4 | 127 | 25 | 10 | 17 | 94 | 7.6 | mysql server (27) · vm virtualbox (18) · peoplesoft enterprise peopletools (16) |
| Consumer Software▸ 4 | 104 | 32 | · | 29 | 63 | 8.3 | substance 3d stager (10) · dimension (8) · gimp (7) |
| DevTools & CI▸ 4 | 88 | 11 | · | 25 | 59 | 7.7 | threadx netx duo (12) · threadx usbx (5) · radare2 (4) |
| Cloud & SaaS▸ 5 | 78 | 64 | 5 | 47 | 108 | 7.9 | learnhouse (4) · whale (3) · n8n (2) |
| Mobile Apps▸ 3 | 73 | 1 | · | 7 | 42 | 6.2 | harmonyos (21) · android (14) · android studio (10) |
| AI / ML▸ 4 | 57 | 11 | · | 42 | 41 | 9.8 | cursor (6) · flowise (6) · agentflow (2) |
| Communications▸ 4 | 54 | · | · | 31 | 44 | 5.8 | mattermost (12) · mastodon (8) · mattermost server (6) |
| Unclassified | 302 | 26 | · | 182 | 197 | 6.6 | sonoma d12 firmware (12) · data leakage prevention system (10) · data leakage prevention system 天锐数据泄露防护系统 (10) |
Weakness × Sector
Which weaknesses hit which solution categories in October 2025
Cells shaded by share of the sector's hottest weakness. Click a row to open the sector history.
79XSS89SQL Injection862Missing Authorization74Injection476NULL Pointer Dereference284CWE-284416Use After Free121CWE-121200Information Exposure94Code InjectionOperating Systems33891910716241Web & CMS Plugins3211721081201331644Enterprise Software1951171276233641931OSS Libraries7412231158159109Networking Infrastructure5712718918031ICS / OT / IoT168151735114Security Products13167681381Hardware Firmware34130143104Consumer Software1410291421342Cloud & SaaS11184123122