The end of 2025 was not kind to web security teams. In December, more Common Vulnerabilities and Exposures (CVE) were published than in any previous month ever.
What is a CVE?
Lots of popular software and systems, even ones as widely used as Microsoft Office and Adobe Photoshop, have known vulnerabilities open for attackers to exploit.
To prevent every engineering team in the world fighting these battles alone, a system was developed in 1999 to publicly catalogue common vulnerabilities. This list of CVEs uses consistent terminology, exact descriptions, and rates each entry based on its severity, ranging from low to critical. It’s basically a glossary of serial numbers for software flaws that are vulnerable to attackers.
For web hosts like us, the CVEs that matter most are usually the ones reporting vulnerabilities in core software—like back in July 2025 when we patched two CVEs affecting the Linux ecosystem (one of them rated critical).
CVEs don’t include any technical fixes. Instead, their purpose is to highlight the problem and serve as a universal starting point for tracking vulnerabilities.
A significant jump
The big news here is that more new CVEs were recorded in 2025 than in any year ever before. To be exact, 48,185 CVEs were published throughout the year—just over 132 a day. That’s a 20.6% increase from 2024, and more than 7x the amount of CVEs published 10 years ago in 2015. To stress the point, CVEs recorded in the last two years account for 27% of all CVEs since the platform’s launch in 1999. All signs indicate that the rate of CVE publications is growing exponentially.
Looking at all the CVEs published last year is another reminder of the benefits ofOf the 48,185 new CVEs reported in 2025, 18,987 of them were rated critical or high severity. That’s almost 40% of them. While it’s a dramatic percentage, it’s actually a slight reduction on the average severity from previous years. This indicates that of the tens of thousands of new CVEs reported, a lot of them are rated with lower severity.
Why so many new CVEs, so suddenly?
Industry analysts have ranging opinions on what’s contributed to the rise in CVEs. Some are more convincing than others.
Institutional firms like IBM are throwing the blame at increasingly complex IT systems, the proliferation of open-source software that relies on community patching, and fast iterative agile development processes. In this view, moving faster inevitably means breaking more things as people stretch the systems that maintain software. But it’s hard to align these long-run trends with the recent explosion in CVEs, and it’s difficult to argue that open source is inherently less secure.
Others, like cybersecurity company Hive Pro, cite a wider range of software adoption across industries, and rising sophistication of AI tools. The more that software gets used, and the more it gets probed for weaknesses, the more weaknesses we’ll find.
Back when there weren’t over 130 new CVEs emerging each day, covering vulnerabilities with two to three patches a year was a viable approach.
From our perspective, one thing that has certainly changed in recent years is the prominence of automated scanning tools. These tools are quicker and more effective at discovering vulnerabilities than human researchers. For example, one researcher unintentionally discovered and reported CVE-2025-37899, an exploit deep in the Linux kernel, after feeding over 12,000 lines of code into ChatGPT.
Since the tools are equally available whether people want to fix or exploit vulnerabilities, an arms race is on.
From 2022 to 2025, the annual number of CVEs has roughly doubled. That’s not to say there are twice as many vulnerabilities. More likely, vulnerabilities are being found and reported as CVEs at unprecedented rates.
This is a double-edged sword. While transparency improves awareness for security teams, it also means attackers gain access to detailed technical information as soon as CVEs are published.
The time it takes for CVEs to go from being published to being actively exploited has changed—now it’s sometimes only a matter of days, or even hours.latest
How we deal with CVEs
Part of our role as a responsible web host involves patching our all of our infrastructure, ensuring customers are kept up-to-date and covered for known vulnerabilities.
The CVE catalogue provides our team with a laundry list of vulnerabilities that we can assess and take action against based on the severity of the CVE and its relation to our software.
In years past, we’d been updating our images two to three times a year to patch these potential weaknesses. The sheer volume and speed of new CVEs in recent years has made us release updates more frequently. More of our time and effort has been spent keeping servers secure and running.
What does it mean for you?
All indications suggest that 2026 will see just as many CVEs published as last year, if not more. This is the new reality we live in, where 48,185 published CVEs a year is a new baseline.
But more CVEs isn't necessarily cause for doom and gloom. This dramatic upswing doesn’t mean that the web security situation is worse, but it does make it a lot noisier. Rest assured, we pay attention to the CVE list despite its unwieldy length and respond to threats accordingly.
One thing that has certainly changed in recent years is the prominence of automated scanning tools. These tools are quicker and more effective at discovering vulnerabilities than human researchers.
Back when there weren’t over 130 new CVEs emerging each day, covering vulnerabilities with two to three patches a year was a viable approach. On the other hand, responding to every CVE the day it's published is an equally unrealistic option for web hosting companies. Instead of patching every little hole, approaches will have to be more strategic—focussing on the most critical and pressing vulnerabilities.
With the amount of new CVEs likely set to continue rising every year, patching images at a speed to match is getting more difficult. Different companies will take different approaches. Just know that if your host is providing updates to cover these vulnerabilities, the value of their services is only increasing.
If you’re on Cloud Containers
If you're using Cloud Containers, rest assured that our images are updated to keep you protected from CVEs. For those with Managed Cloud Containers, we upgrade images on your behalf at your requested schedule. You'll also jump to the front of the queue for security updates and patching.
If you're running unmanaged Cloud Containers, the updated images are still available but it's on you to install them.
If you’re managing your own server
We do not patch unmanaged servers. If you’re managing your own server, it’s your responsibility to stay on top of CVEs and keep your server updated. It pays to be aware of what you’re fighting against and keep tabs on the most up-to-date list of CVEs.
Time to consider Server Management?
The glut of CVEs published last year is another reminder of the benefits of Server Management. If maintaining your server against over 40,000 new vulnerabilities a year sounds intimidating, it could be time to consider leaving patching and updating to SiteHost’s team of skilled engineers. With Server Management you can work, rest, and even holiday, knowing that your infrastructure is being taken care of and monitored round-the-clock.
The way we look at it: Server Management not only provides monitoring, maintenance, and security patching—it also provides peace of mind.
If you’d like to talk with us about adding Server Management, we’re always ready to hear from you.
Photo by Connor Scott McManus from Pexels.