Connect with us

Hi, what are you looking for?



Vulnerability Handling in 2023: 28,000 New CVEs, 84 New CNAs

A total of more than 28,000 CVE IDs were assigned in 2023 and 84 new CVE Numbering Authorities (CNAs) were named. 

The number of organizations named a CVE Numbering Authority (CNA) and the number of Common Vulnerabilities and Exposures (CVE) identifiers assigned in 2023 has increased compared to the previous year. 

According to Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, 28,902 CVEs were published in 2023, up from 25,081 in 2022. This is an average of nearly 80 new CVEs per day. The number of published CVEs has been steadily increasing since 2017. 

In terms of severity, the average CVSS score of the 2023 CVEs was 7.12, with 36 vulnerabilities being assigned a score of 10.

According to data from the CVE Program, which is maintained by MITRE and sponsored by the US government, the number of new CNAs announced in 2023 increased to 84, from 56 in 2022. Currently, there are nearly 350 CNAs from 38 countries.

CNAs are vendors, cybersecurity companies and other organizations that are allowed to assign CVE identifiers to vulnerabilities found in their own products and/or the products of others. 

The list of new CNAs includes independent hacking groups such as Austin Hackers Anonymous; software organizations such as ServiceNow and Open Design Alliance; hardware makers such as Schweitzer Engineering Laboratories, AMI, Moxa, Phoenix Technologies and Arm; government agencies such as National Cyber Security Centre Finland (NCSC-FI); cybersecurity firms such as Mandiant, Checkmarx, Otorio, VulnCheck, CrowdStrike, SEC Consult, Illumio and HiddenLayer; and printing giants Lexmark, Canon (EMEA) and Xerox.

Gamblin noted that 250 CNAs published at least one CVE in 2023. The top CNAs were Microsoft, VulDB, GitHub, and WordPress security companies WPScan and PatchStack. VulDB, GitHub, WPScan and PatchStack assigned a total of more than 6,700 CVEs last year. 

The most commonly assigned type of Common Weakness Enumeration (CWE) identifier was CWE-79, improper neutralization of input during web page generation, also known as cross-site scripting (XSS). Over 4,100 CVEs were assigned to XSS vulnerabilities last year. 

XSS was followed at a distance by SQL injection vulnerabilities, with roughly 2,000 security holes in this category. 

Advertisement. Scroll to continue reading.

Related: Google Announces New Rating System for Android and Device Vulnerability Reports

Related: In Other News: Ukraine Hacks Russia, CVE for Water ICS Attacks, New Intel Xeon CPUs 

Related: Google Patches Six Vulnerabilities With First Chrome Update of 2024

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.