{"id":94767,"date":"2026-03-26T09:00:00","date_gmt":"2026-03-26T16:00:00","guid":{"rendered":"https:\/\/github.blog\/?p=94767"},"modified":"2026-03-25T11:38:17","modified_gmt":"2026-03-25T18:38:17","slug":"a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware","status":"publish","type":"post","link":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/","title":{"rendered":"A year of open source vulnerability trends: CVEs, advisories, and malware"},"content":{"rendered":"\n

GitHub published 4,101 reviewed advisories<\/a> in 2025. This is the fewest number of reviewed advisories since 2021<\/strong>. Does this mean open source is shipping more secure code? Let’s dig into the data to find out.<\/p>\n\n\n\n

GitHub reviewed advisories<\/h1>\n\n\n\nFewer advisories reviewed doesn’t mean fewer vulnerabilities were reported. The drop is because GitHub reviewed far fewer older vulnerabilities<\/strong>. When you look only at newly reported vulnerabilities from our sources<\/a>, GitHub actually reviewed 19% more advisories<\/strong> year over year.<\/p>\n\n\n\n
$\"Stacked$ <\/figure>\n\n\n\nSo why the change? Quite frankly, we are running out of unreviewed vulnerabilities that are older than the Advisory Database<\/a>. At the same time, the number of newly reported vulnerabilities hasn’t dropped.<\/p>\n\n\n\n
\n
What is the GitHub Advisory Database?<\/h2>\n\n\n\n
The GitHub Advisory Database<\/a> provides a comprehensive list of known security vulnerabilities and malware affecting open source packages. It was created in 2019, and has since become a vital resource for open source developers.<\/p>\n\n\n\n
Read more in last year’s blog post ><\/a><\/p>\n<\/aside>\n\n\n\n
It’s also worth clarifying that “unreviewed<\/a>” in the database can be misleading: most advisories marked unreviewed have already been looked at by a curator and found not to affect any package in a supported ecosystem<\/a>, so they may never be fully reviewed.<\/p>\n\n\n\n
$\"Stacked$ <\/figure>\n\n\n\n
This means that you should be receiving fewer brand-new Dependabot alerts about old vulnerabilities. <\/p>\n\n\n\n
Note<\/strong>: If you find an unreviewed advisory that affects a supported package, please let us know<\/a> so we can get it reviewed!<\/p>\n\n\n\n
How vulnerabilities were distributed across ecosystems in 2025<\/h2>\n\n\n\n
The distribution of ecosystems in advisories reviewed in 2025 is similar to the overall distribution in the database, with the exception of Go. Go is overrepresented in 2025 advisories by 6%. This is largely due to dedicated campaigns to re-examine potentially missing advisories found through an internal review for packages where we had inconsistent coverage.<\/p>\n\n\n\n
$\"Circle$ <\/figure>\n\n\n\n
$\"Circle$ <\/figure>\n\n\n\n
How the types of vulnerabilities changed in 2025<\/h2>\n\n\n\n
Rank<\/strong><\/th> Common Weakness Enumeration (CWE)<\/strong><\/th> **Number of 2025 Advisories*<\/strong><\/th> Change in Rank from 2024<\/strong><\/th> Change in Rank from the Overall Database<\/strong><\/th><\/tr><\/thead>**
1<\/td> CWE-79<\/td> 672<\/td> +0<\/td> +0<\/td><\/tr>
2<\/td> CWE-22<\/td> 214<\/td> +2<\/td> +1<\/td><\/tr>
3<\/td> CWE-863<\/td> 169<\/td> +9<\/td> +8<\/td><\/tr>
4<\/td> CWE-20<\/td> 154<\/td> +1<\/td> +1<\/td><\/tr>
5<\/td> CWE-200<\/td> 145<\/td> -2<\/td> -1<\/td><\/tr>
6<\/td> CWE-400<\/td> 144<\/td> +4<\/td> +0<\/td><\/tr>
7<\/td> CWE-770<\/td> 136<\/td> +7<\/td> +10<\/td><\/tr>
8<\/td> CWE-502<\/td> 134<\/td> +5<\/td> +1<\/td><\/tr>
9<\/td> CWE-94<\/td> 119<\/td> -3<\/td> -1<\/td><\/tr>
10<\/td> CWE-918<\/td> 103<\/td> +5<\/td> +8<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
* An advisory may have more than CWE. For example, an advisory might have both CWE-400 and CWE-770. It would then count for both.<\/em><\/p>\n\n\n\n
As usual, cross-site scripting (CWE-79) is by far the most common vulnerability type. However, there are significant changes in the following areas. Resource exhaustion (CWE-400 and CWE-770), unsafe deserialization (CWE-502), and server-side request forgery (CWE-918) were unusually common in 2025. CWE-863 (“Incorrect Authorization”) saw a significant jump, but that is largely due to reclassification away from CWE-284 (“Improper Access Control”) and CWE-285 (“Improper Authorization”), which are higher level CWEs that the CWE program discourages using.<\/p>\n\n\n\n
One of the biggest quality improvements in 2025 was more specific, more consistent CWE tagging. Advisories without any CWE dropped 85%<\/strong> (from 452 in 2024 to 65 in 2025). CWE-20 (“Improper Input Validation”) is still common, but in prior years it was often the only CWE listed on an advisory. <\/p>\n\n\n\n
In 2025, advisories far more often list CWE-20 plus one or more additional CWEs that describe the concrete failure mode. This added specificity makes the data more actionable for triage, prioritization, and remediation.<\/p>\n\n\n\n
To find out how to filter Dependabot alerts by CWE, see our documentation on auto-triage rules<\/a>.<\/p>\n\n\n\n
How to prioritize your response<\/h2>\n\n\n\n
We provide two scoring systems for prioritization: <\/p>\n\n\n\n
\n
Common Vulnerability Severity Score (CVSS)<\/a>: Scores how severe the impact of the vulnerability will be<\/li>\n\n\n\n
Exploit Prediction Scoring System (EPSS)<\/a>: Provides a measure of how likely the vulnerability will be attacked in the next 30 days and <\/li>\n<\/ul>\n\n\n\n
Together, they can give you a head start on your risk assessment process.<\/p>\n\n\n\n
$\"Priority\tCVSS\tEPSS\nCritical\t392\t11\nHigh\t1237\t96\nModerate\t1994\t221\nLow\t475\t1517\nVery$ <\/figure>\n\n\n\n
As you can see, when considering impact, most vulnerabilities skew moderate to high of the impact range. Low-impact vulnerabilities are likely more common than the CVSS data suggests but are often not considered worth the time and effort for researchers and maintainers to report. The EPSS scores for moderate to high impact vulnerabilities support this decision.<\/p>\n\n\n\n
$\"Priority\tCVSS\tEPSS\nCritical\t8\t4\nHigh\t8\t11\nModerate\t2\t3\nLow\t0\t0\nVery$ <\/figure>\n\n\n\n
So should you trust the EPSS or CVSS scores? To judge that, let’s look at how they match up to vulnerabilities in CISA’s Known Exploited Vulnerabilities Catalog<\/a>. The exploited vulnerabilities are at least scored moderate,<\/strong> and most are critical or high. While CVSS has more of the exploited vulnerabilities as critical, it also has far more vulnerabilities in the range in general. Combining the two can help you prioritize which vulnerabilities to address to prevent exploitation.<\/p>\n\n\n\n
npm malware advisories<\/h1>\n\n\n\n2025 was a huge year for npm malware advisories. Due to large malware campaigns, such as SHA1-Hulud<\/a>, GitHub saw a 69% increase in published malware advisories<\/strong> compared to 2024. This is the most malware advisories GitHub has published since our initial release of historical malware when we added support in 2022<\/a>.<\/p>\n\n\n\n
You can receive Dependabot alerts<\/a> when your repositories depend on npm packages with known malicious versions. When you enable malware alerting, Dependabot matches your npm dependencies against malware advisories in the GitHub Advisory Database.<\/p>\n\n\n\n
$\"Bar$ <\/figure>\n\n\n\n
GitHub CVE Numbering Authority (CNA)<\/h1>\n\n\n\n
CVE publications<\/h2>\n\n\n\n
2025 was a big year for the GitHub, Inc. CNA<\/a>. We saw a 35% increase in published CVE records<\/strong>, outpacing the overall CVE Project’s increase of 21%.<\/p>\n\n\n\n
$\"Bar$ <\/figure>\n\n\n\n
In fact, we saw 10 to 16% growth every quarter. If this trend continues, GitHub will publish over 50% more CVEs in 2026.<\/p>\n\n\n\n
$\"Bar$ <\/figure>\n\n\n\n
You can help make that a reality by requesting a CVE<\/a> from us the next time you publish a repository security advisory about a vulnerability!<\/p>\n\n\n\n
Organizations using GitHub’s CNA<\/h2>\n\n\n\n
Every year, GitHub sees more organizations use its CNA services. 2025 is no exception with a 20% increase in new organizations requesting CVE IDs<\/strong>.<\/p>\n\n\n\n
$\"Bar$ <\/figure>\n\n\n\nUnlike reviewed<\/a> global advisories, which are always mapped to packages in ecosystems we support, any maintainer on GitHub can request a CVE<\/strong>, even if they don’t publish that package to a supported ecosystem. In fact, 2025 is the first year that GitHub has published more CVEs from organizations that do not use a supported ecosystem than those that do.<\/p>\n\n\n\n
$\"Stacked$ <\/figure>\n\n\n\n
We would like to thank all 987 organizations<\/strong> that published CVEs with us in 2025 and highlight the top 10 most prolific organizations.<\/p>\n\n\n\n
Top 10 organizations using the GitHub CNA<\/th><\/tr><\/thead>
Organization<\/strong><\/td> Number of 2025 CVEs<\/strong><\/td><\/tr>
LabReDeS (WeGIA)<\/td> 130<\/td><\/tr>
XWiki<\/td> 40<\/td><\/tr>
Frappe<\/td> 28<\/td><\/tr>
Discourse<\/td> 27<\/td><\/tr>
Enalean<\/td> 27<\/td><\/tr>
FreeScout<\/td> 27<\/td><\/tr>
DataEase<\/td> 26<\/td><\/tr>
Nextcloud<\/td> 25<\/td><\/tr>
GLPI<\/td> 24<\/td><\/tr>
DNN Software<\/td> 23<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Organizations that published CVEs through GitHub for the first time in 2025<\/em><\/p>\n\n\n\n
Onward to 2026<\/h1>\n\n\n\n
The data from 2025 shows incredible growth: <\/p>\n\n\n\n
\n
4,101 reviewed advisories <\/strong><\/li>\n\n\n\n
7,197 malware advisories <\/strong><\/li>\n\n\n\n
2,903 CVEs published<\/strong><\/li>\n\n\n\n
679 new organizations using our CNA services<\/strong>. <\/li>\n<\/ul>\n\n\n\n
These numbers represent real security improvements for millions of developers.<\/p>\n\n\n\n
You can be part of this in 2026. Here’s how: <\/p>\n\n\n\n
1. Use our CNA services<\/h3>\n\n\n\n
Publishing CVEs shouldn’t be complicated. Request a CVE<\/a> directly from your repository security advisory, and we’ll take care of curating and publishing it for you. It’s free, it’s fast, and it helps the entire ecosystem understand and respond to vulnerabilities.<\/p>\n\n\n\n
2. Improve advisory accuracy<\/h3>\n\n\n\n
Found an unreviewed advisory affecting a supported package? See incorrect severity scores or missing affected versions? Suggest edits<\/a>. Your edits will be reviewed by the Advisory Database team and ultimately, will help make the database more accurate for everyone. In 2025, 675 contributions from the community<\/strong> improved the quality of this data for the entire software industry!<\/p>\n\n\n\n
3. Protect your projects<\/h3>\n\n\n\nThe most direct impact you can have is protecting your own code. Enable Dependabot<\/a> to automatically receive security updates and explore GitHub Advanced Security<\/a> for comprehensive protection.<\/p>\n\n\n\n
4. Make reporting a vulnerability easier<\/h3>\n\n\n\n
Let researchers know how to report to you and what you will and will not accept by creating a security policy<\/a> for your repository. Enable private vulnerability reporting<\/a> to make the coordination process smooth and secure.<\/p>\n\n\n\n
Let’s make 2026 even better. See you in next year’s review! 🚀<\/p>\n<\/body><\/html>\n","protected":false},"excerpt":{"rendered":"
Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew\u2014here\u2019s what changed and what it means for your triage and response. <\/p>\n","protected":false},"author":2339,"featured_media":93179,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_gh_post_show_toc":"yes","_gh_post_is_no_robots":"","_gh_post_is_featured":"yes","_gh_post_is_excluded":"","_gh_post_is_unlisted":"","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"","_gh_post_sq_img_id":"","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"","_gh_post_recirc_hide":"","_gh_post_recirc_col_1":"","_gh_post_recirc_col_2":"","_gh_post_recirc_col_3":"","_gh_post_recirc_col_4":"","_featured_video":"","_gh_post_additional_query_params":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false,"_links_to":"","_links_to_target":""},"categories":[91,3335],"tags":[3465,3705,3704,145,3703,1915,3828,3529],"coauthors":[3701],"class_list":["post-94767","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-supply-chain-security","tag-cve","tag-cvss","tag-cwe","tag-dependabot","tag-epss","tag-github-security-lab","tag-malware","tag-vulnerability"],"yoast_head":"\nA year of open source vulnerability trends: CVEs, advisories, and malware - The GitHub Blog<\/title>\n<meta name=\"description\" content=\"Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew\u2014here\u2019s what changed.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A year of open source vulnerability trends: CVEs, advisories, and malware\" \/>\n<meta property=\"og:description\" content=\"Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew\u2014here\u2019s what changed.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"The GitHub Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-26T16:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2026\/01\/github-generic-security-blocks-logo.png?fit=1920%2C1080\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jonathan Evans\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jonathan Evans\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/\"},\"author\":{\"name\":\"Jonathan Evans\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/6398b27ea80f0db97a6e23daa8d1d7a1\"},\"headline\":\"A year of open source vulnerability trends: CVEs, advisories, and malware\",\"datePublished\":\"2026-03-26T16:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/\"},\"wordCount\":1269,\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/github-generic-security-blocks-logo.png?fit=1920%2C1080\",\"keywords\":[\"CVE\",\"CVSS\",\"CWE\",\"Dependabot\",\"EPSS\",\"GitHub Security Lab\",\"malware\",\"vulnerability\"],\"articleSection\":[\"Security\",\"Supply chain security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/\",\"name\":\"A year of open source vulnerability trends: CVEs, advisories, and malware - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/github-generic-security-blocks-logo.png?fit=1920%2C1080\",\"datePublished\":\"2026-03-26T16:00:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/6398b27ea80f0db97a6e23daa8d1d7a1\"},\"description\":\"Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew\u2014here\u2019s what changed.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/github-generic-security-blocks-logo.png?fit=1920%2C1080\",\"contentUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/github-generic-security-blocks-logo.png?fit=1920%2C1080\",\"width\":1920,\"height\":1080,\"caption\":\"A shield with a checkmark icon appears centered among decorative green blocks.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/github.blog\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Supply chain security\",\"item\":\"https:\\\/\\\/github.blog\\\/security\\\/supply-chain-security\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"A year of open source vulnerability trends: CVEs, advisories, and malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/6398b27ea80f0db97a6e23daa8d1d7a1\",\"name\":\"Jonathan Evans\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/699e0820155a4e87bea4bfdc033438361e2bbb042a4fb8f3319ccd534dc4c7f2?s=96&d=mm&r=g885db78773df7bb3fba1167d8e54b35d\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/699e0820155a4e87bea4bfdc033438361e2bbb042a4fb8f3319ccd534dc4c7f2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/699e0820155a4e87bea4bfdc033438361e2bbb042a4fb8f3319ccd534dc4c7f2?s=96&d=mm&r=g\",\"caption\":\"Jonathan Evans\"},\"description\":\"Security Analyst, curator of the GitHub Advisory Database, and one of the members of the Security Lab responsible for issuing CVE IDs and publishing CVE records.\",\"url\":\"https:\\\/\\\/github.blog\\\/author\\\/jonathanlevans\\\/\"}]}<\/script>\n","yoast_head_json":{"title":"A year of open source vulnerability trends: CVEs, advisories, and malware - The GitHub Blog","description":"Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew\u2014here\u2019s what changed.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/","og_locale":"en_US","og_type":"article","og_title":"A year of open source vulnerability trends: CVEs, advisories, and malware","og_description":"Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew\u2014here\u2019s what changed.","og_url":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/","og_site_name":"The GitHub Blog","article_published_time":"2026-03-26T16:00:00+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/01\/github-generic-security-blocks-logo.png?fit=1920%2C1080","type":"image\/png"}],"author":"Jonathan Evans","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jonathan Evans","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/#article","isPartOf":{"@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/"},"author":{"name":"Jonathan Evans","@id":"https:\/\/github.blog\/#\/schema\/person\/6398b27ea80f0db97a6e23daa8d1d7a1"},"headline":"A year of open source vulnerability trends: CVEs, advisories, and malware","datePublished":"2026-03-26T16:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/"},"wordCount":1269,"image":{"@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/01\/github-generic-security-blocks-logo.png?fit=1920%2C1080","keywords":["CVE","CVSS","CWE","Dependabot","EPSS","GitHub Security Lab","malware","vulnerability"],"articleSection":["Security","Supply chain security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/","url":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/","name":"A year of open source vulnerability trends: CVEs, advisories, and malware - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/#primaryimage"},"image":{"@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/01\/github-generic-security-blocks-logo.png?fit=1920%2C1080","datePublished":"2026-03-26T16:00:00+00:00","author":{"@id":"https:\/\/github.blog\/#\/schema\/person\/6398b27ea80f0db97a6e23daa8d1d7a1"},"description":"Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew\u2014here\u2019s what changed.","breadcrumb":{"@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/#primaryimage","url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/01\/github-generic-security-blocks-logo.png?fit=1920%2C1080","contentUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/01\/github-generic-security-blocks-logo.png?fit=1920%2C1080","width":1920,"height":1080,"caption":"A shield with a checkmark icon appears centered among decorative green blocks."},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/security\/supply-chain-security\/a-year-of-open-source-vulnerability-trends-cves-advisories-and-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/github.blog\/security\/"},{"@type":"ListItem","position":3,"name":"Supply chain security","item":"https:\/\/github.blog\/security\/supply-chain-security\/"},{"@type":"ListItem","position":4,"name":"A year of open source vulnerability trends: CVEs, advisories, and malware"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/github.blog\/#\/schema\/person\/6398b27ea80f0db97a6e23daa8d1d7a1","name":"Jonathan Evans","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/699e0820155a4e87bea4bfdc033438361e2bbb042a4fb8f3319ccd534dc4c7f2?s=96&d=mm&r=g885db78773df7bb3fba1167d8e54b35d","url":"https:\/\/secure.gravatar.com\/avatar\/699e0820155a4e87bea4bfdc033438361e2bbb042a4fb8f3319ccd534dc4c7f2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/699e0820155a4e87bea4bfdc033438361e2bbb042a4fb8f3319ccd534dc4c7f2?s=96&d=mm&r=g","caption":"Jonathan Evans"},"description":"Security Analyst, curator of the GitHub Advisory Database, and one of the members of the Security Lab responsible for issuing CVE IDs and publishing CVE records.","url":"https:\/\/github.blog\/author\/jonathanlevans\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/01\/github-generic-security-blocks-logo.png?fit=1920%2C1080","jetpack_shortlink":"https:\/\/wp.me\/pamS32-oEv","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/94767","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/2339"}],"replies":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/comments?post=94767"}],"version-history":[{"count":7,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/94767\/revisions"}],"predecessor-version":[{"id":94807,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/94767\/revisions\/94807"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media\/93179"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=94767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/categories?post=94767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/tags?post=94767"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=94767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}