Why ~50% of CVEs in the Last 6 Months Trace Directly to Code‑Level Vulnerabilities

1. The Alarming Surge in CVEs

As of June 2025, over 21,500 new vulnerabilities have flooded the market—an average of 133 CVEs per day. That means roughly 10,000–11,000 CVEs have been published in the last six months alone.

2. Understanding Code‑Level Root Causes

While CVEs capture specific incidents, their underlying weakness types can be mapped to MITRE CWEs—categories like buffer overflows, injection flaws, insecure deserialization, and memory corruption.

• CWE serves as a taxonomy of code issues, often stained with critical vulnerabilities ai4cyber-kdd.com+1cloudsecurityalliance.org+1edgescan.com+10xygeni.io+10arxiv.org+10.
  
• In analyses like the CISA KEV catalog, nearly 50% of exploited CVEs were due to insecure code-level functions—traditional coding flaws arxiv.org+12zerothreat.ai+12cvedetails.com+12.
  

3. Estimating the Scope: ~50% Code-Level CVEs

4. Why It Matters

• Actionable Insight: Prioritize scanning and unit testing on vulnerable modules—WAFs and filters alone aren’t enough.
  
• Proactive Security: Embed SAST/DAST in CI/CD pipelines to catch buffer underflows, SQLI, and XSS before shipping.
  
• Business Chemistry: Fixing code-level bugs reduces downstream cost, breach risk, and can speed up time‑to‑remediation.
  

5. A Blueprint

• Quantify your baseline: Map your own CVEs against CWE tags to figure out your internal percentage.
  
• Strengthen your code hygiene: Adopt rigorous vulnerability testing (static/dynamic) early in the SDLC.
  
• Measure for impact: Monitor “code-level CVE” trends month over month and set remediation goals.
  

6. Parting Thought

With around 5,000 CVEs likely tied to code-level issues, this isn’t just a number—it’s a roadmap. Secure code practices, early testing, and CWE-based prioritization unlock low-hanging fruit that significantly reduce operational risk and technical debt.