The most glaring example of a predominant vulnerability type is visible in the top row, which is CWE-79: Improper Neutralization of Input During Web Page Generation, more commonly known as cross-site scripting (XSS). Cross-site scripting dominated the field of CVEs from 2011-2016, at times making up 60% of published vulns in a quarter. SQL injection was nearly as predominant from late 2007 to mid-2009.

In contrast to this, we currently abide in a period of expanding CWE diversity, with no one vulnerability type predominant. We haven’t yet had the time to explore the CWEs of the CVEs we track, but the trends in this latest traffic are also a reminder that old vulnerabilities never go away—witness the 10 year old Apache Solr CVE in our top ten this month. So while new vulnerabilities come from a much broader set of types, old favorites will most likely be one of these predominant types. We don’t have any answers on this line of inquiry at the moment, but we mention this CWE analysis just as another way to think about patterns and trends in terms of vulnerability management. And with that, we’ll see you in August, when the attackers will hopefully have done something more interesting.