ALL ABOUT COMPUTER

CVE Announce - May 2026 (opt-in newsletter from the CVE website)

Featured

“Supplier ADP Pilot” — CVE Program Exploring Benefits of Supporting VEX-like, Product Status Information in Upstream CVE Records
CVE Podcast: “CVE Record Disputes Explained”
CVE Program Milestone: 500+ Organizations Participating as CVE Numbering Authorities (CNAs)
Historical CVE Record Date and Timestamp Normalization Complete
CVE Program Report for Quarter 1 Calendar Year (Q1 CY) 2026

CVE Numbering Authorities (CNAs)

23 Additional Organizations Added as CNAs
Vulnerability Data Enrichment for CVE Records: 261 CNAs on the Enrichment Recognition List for May 4, 2026

Community

Videos from “CVE/FIRST VulnCon 2026” Now Available
Keeping Up with CVE

Featured

Supplier ADP Pilot” — CVE Program Exploring Benefits of Supporting VEX-like, Product Status Information in Upstream CVE Records

Software is made of other software. When an upstream component has a vulnerability, downstream products that include or depend on it may not be similarly affected. Variations in implementation, configuration, environment, and operational context can mean different downstream impacts.

To explore how CVE Records might be made more valuable to the downstream consumer by addressing this issue, the CVE™ Program is conducting a “Supplier CVE Numbering Authority (CNA) as Authorized Data Publisher Pilot (SADP Pilot),” was announced on March 24, 2026, and officially launched on April 1, 2026.

Problem Statement

As downstream products inherit vulnerabilities differently depending on dependency usage, configuration, operational context, and implementation, the impact of an upstream vulnerability is often unclear. Security teams spend significant time triaging CVE information to determine its impact on their products or environments. This uncertainty leads to repetitive analysis, vendor inquiries, and inefficient coordination across the ecosystem.

What Is the SADP Pilot?

The SADP Pilot explores enabling product suppliers the ability to publish authoritative product status information directly within CVE Records of upstream vulnerabilities, helping reduce unnecessary investigation and enabling more efficient vulnerability management workflows. The pilot allows a set of participating Supplier CVE Numbering Authorities (CNAs) access to a test environment of CVE production data, where they can append structured “SADP containers” to existing CVE Records. In these containers, the SADP can provide inherited vulnerability status information (e.g., Vulnerability-Exploitability eXchange (VEX), or at least meeting material requirements of VEX) for their product(s) within a CVE Record for an upstream component or library.

What Are the Goals of the SADP Pilot?

The SADP Pilot is intended to collect data on a variety of topics, ultimately towards finding ways to:

Efficiently convey downstream impact to consumers: A vulnerability in upstream software may not exist in downstream software, and downstream use may or may not be exploitable
Improve vulnerability scanning outcomes: Determine whether vulnerability scanners can consume SADP (VEX-like) information to help reduce false positives and improve CVE Record signal-to-noise
Reduce cost and confusion for suppliers and users

The CVE Program is actively engaging the vulnerability management vendor community as part of the pilot effort for input and “buy-in” for supporting this information in their products.

Will the CVE Program Support Additional ADPs for Different Purposes?

This pilot is limited in scope to Supplier ADPs. If you are a Supplier CNA and wish to participate in the SADP pilot, we may be able to add you during the pilot period. The Program plans to consider and test other types of ADPs, for example, “enrichment” ADPs such as CISA Vulnrichment and the CVE Program references ADP. There is currently no general purpose or Program-wide policy or criteria about ADPs.

Who Is Participating in the SADP Pilot?

Initial participants include (in alphabetical order):

Intended SADP Pilot Timeline

April 2026–July 2026: SADP Pilot Duration

Initial CVE Supplier ADP (SADP) Pilot announcement to community via CVE blog and CVE social media
VulnCon 2026 Panel Discussion:

“The CVE Supplier ADP (SADP) Pilot: Am I Affected by Upstream?” – discussion topics are expected to include pilot goals, questions about pilot design (how it started), and what participants have learned (how it’s going)
Over the course of this timeframe, pilot participants will begin publishing in SADP information in CVE Records
The program will capture performance metrics and community feedback from downstream users and the vulnerability management vendor community

August 2026: Formal Review

SADP Pilot Feedback Forum (virtual summit from producer/consumer perspective)
The formal review is intended to support a program decision whether and how to continue SADP

The SADP Pilot Environment

The SADP Pilot will be executed by allowing selected contributors (i.e., Suppliers) to enrich published CVE Records by adding key information about how their products are affected by the published vulnerability.

Suppliers will include the SADP information using two mechanisms to enrich these CVE Records:

SADP content inside the CVE Record via an ADP container
SADP container that refers to SADP-hosted content elsewhere (ideally machine readable), potentially using formats such as CSAF VEX, OpenVEX, or CVE Record Data Format

The SADP container is meant to provide downstream supplier information about their products with respect to a vulnerability in an upstream product, including:

Upstream CVE ID(s)
Downstream and upstream products
The relationship between downstream and upstream products
Downstream status regarding the upstream vulnerability
Identification of the owner/authoritative source of the SADP content

Identifying SADP Content in CVE Records

The SADP Container within a CVE Record can be identified via two mechanisms (i.e., JSON fields):

A new field containers.adp[].providerMetadata.x_adpType with value 'supplier', and/or
The shortname of the provider ending in ‘-SADP’ (e.g., providerMetadata.shortName = ‘xxxxx-SADP’ where xxxxx is a supplier short name such as “cisco”, “HeroDevs”, “microsoft”, “redhat”, or “siemens”)

Where to View SADP-Enriched CVE Records

As of May 5, 2026, SADP Pilot participants (Cisco, HeroDevs, Microsoft, Oracle, Red Hat, and Siemens) can add SADP (i.e., VEX-like) content to CVE Records as data points on how reported vulnerabilities affect their products.

Official CVE List — The SADP Pilot is integrated into published CVE Records on the official CVE List. All SADP-enriched records are viewable as part of the CVE List in the CVEList GitHub Repository and through the search capability located on the CVE website (search on the term “SADP” and click the SADP tag to see enriched content for that record).

SADP GitHub Repository — A dedicated GitHub repository has been created for this pilot to make it easy to review all SADP-enriched records in one place. Records containing SADP content are copied this repository, which is structured in the same manner as the CVE List but contains only CVE Records with SADP content. The SADP GitHub Pilot repository is synchronized with the official CVE List repository every 15 minutes, and always reflects the latest published CVE Records containing SADP content.

Feedback Requested

The SADP Pilot is scheduled to run from April 2026 through July 2026. SADP suppliers will continue to add content throughout this timeframe. We encourage you to check the CVE website and the SADP Pilot GitHub repository regularly as new CVE Records with Supplier-enriched content are expected to appear on an ongoing basis.

Your feedback is essential to determining how SADP and supplier-provided content should be supported in the CVE Program after the pilot concludes. Please provide feedback by commenting on the CVE Blog on Medium, or use the CVE Request Web Form (choose “General Support”).

When providing feedback, it is especially helpful if you describe:

How you discovered and used SADP content (e.g., via CVE.ORG, GitHub, or a vulnerability management tool)
Whether SADP content helped reduce false positives, triage time, or vendor interaction
Any gaps, ambiguities, or additional fields you would like to see
Suggestions for how this data should be surfaced or standardized going forward

Share this CVE article:

Note: This article combines content from two blog articles about the SADP Pilot, the initial blog published on March 24, 2026, and a status update blog published on May 5, 2026:

We Speak CVE Podcast — “CVE Record Disputes Explained”

The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.

In this episode, MITRE’s CVE™ and CWE™ Project Lead Alec Summers chats with Yves Younan of Cisco, Alex Kreilein of Qualys, Pedro Sampaio of Red Hat, and Anthony Singleton of the MITRE Top-Level Root, about the CVE Record dispute process.

Topics include how the dispute policy came to exist and the two types of CVE Record disputes; a walk-through of the process for disputing a CVE Record, including what steps to take and what to expect; why some disputes persist indefinitely; whether all CVE Record disputes need to be resolved; why some disputes remaining visible to the downstream consumer is healthy; an overview of how the CVE Record Dispute Policy was created and how it continues to updated over time; how the CVE Program continuously seeks community input on the dispute process; and more.

Resources mentioned in the podcast include:

The “We Speak CVE” podcast is available for free on the CVE Program Channel on YouTube, on the We Speak CVE page on Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others.

Please give the podcast a listen and let us know what you think!

Share or comment on this CVE article on Medium:

https://medium.com/@cve_program/we-speak-cve-podcast-cve-record-disputes-explained-c68bd3817ac3

CVE Program Milestone: 500+ Organizations Now Participating as CVE Numbering Authorities (CNAs)

As of March 31, 2026, the CVE Program achieved a major milestone of 502 organizations from around the world participating as CVE Numbering Authorities (CNAs) in the CVE Program: 499 CNAs and 3 CNAs of Last Resort (CNA-LR). Visit CNA Program Growth on the CVE website to see the most current stats.

CNAs are vendor, researcher, open source, CERT, hosted service, bug bounty provider, and consortium organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage.

Contact information and other partner details for CNAs are available on the List of Partners page.

Number of CNAs Continues to Grow

In 2016, the CVE Program (with only 23 CNAs) adopted a strategy to federate the publication of CVE Records by partnering with additional CNAs. Since then, 479 additional organizations (as of March 31, 2026) have partnered with the CVE Program as CNAs and, as a result, the CVE List surpassed the 300,000+ CVE Records milestone in 2025.

Participation is also global, with CNAs from 43 countries and 1 no country affiliation participating, as shown in the world map below.

Partners by country. View the exact numbers by country on the CNA Program Growth page.

Automation and Resources for CNAs Continuing to Expand

As the number of participating CNAs has grown, so have automation and other resources.

The CVE Services are web forms and open source automation tools that enable CNAs to reserve a number of sequential or non-sequential CVE IDs in real time, as needed, and to publish CVE Records to the CVE List. Learn more here.

Other resources for CNAs include the CVE Numbering Authority (CNA) Rules, Version 4.1 guidance document; CVE Program policy documents such as the End-of-Life (EOL) Assignment Process and CVE Record Dispute Policy; CVE Services and CVE Record Format process and demo videos for prospective and existing CNAs; and various podcast episodes and blog articles on topics relevant to CNAs.

The greater CNA community is also a resource with discussions via email lists and a Slack channel, and the annual VulnCon conference and annual Fall CVE Program Technical Workshop for CNAs that enables CNAs to regularly collaborate on specific topics in a focused manner.

Should Your Organization Become a CNA?

Numerous organizations from around the world are already participating as CNAs, while more and more organizations are deciding to become a CNA and join the CVE community to help build the CVE List.

Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID.

If your organization would like to partner with the CVE Program as a CNA, please visit How to Become a CNA.

Share or comment on this CVE article on Medium:

https://medium.com/@cve_program/500-organizations-now-participating-as-cve-numbering-authorities-cnas-5422e46f209d

Historical CVE Record Date and Timestamp Normalization Complete

The CVE Program successfully normalized the formatting of date/time fields across approximately 200,000 historical CVE Records on February 16-26, 2026. As initially announced on January 6, 2026, and in a follow-on announcement on February 10, 2026, this maintenance updated older CVE Records so their date/time values use the same standardized ISO 8601 UTC format already in place for records published or updated since February 2025:

yyyy-MM-ddTHH:mm:ss.sssZ (ISO-8601, UTC)

For example: 2025-07-11T19:32:03.983Z

For additional information, view the CVE List Repository README.

Moving Forward

We appreciate the community’s support during this effort as the CVE Program continues to improve the consistency and quality of CVE Records for all users. Additional future announcements about improving CVE Record quality will be posted on the CVE website, CVE Blog, and CVE social media moving forward.

Questions or Feedback

If you have questions or concerns about this maintenance or its potential impact on your systems, please leave a comment on the CVE Blog on Medium or use the CVE Request Web Form (choose “General Support”).

Share this CVE article:

https://medium.com/@cve_program/historical-cve-record-date-and-timestamp-normalization-complete-9795b7b85c34

CVE Program Report for Quarter 1 Calendar Year (Q1 CY) 2026

The CVE Program’s quarterly summary of program milestones and metrics for Q1 CY 2026.

Q1 CY 2026 Milestones

Nineteen CVE Numbering Authorities (CNAs) Added

The nineteen (19) new CNAs added this quarter are listed below under their Top-Level Root (TL-Root) or Root. Scope of coverage is described next to their organization name.

Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Root:

CODRA – CODRA’s products and related services. (France)
Cribl, Inc. – Vulnerabilities identified in Cribl products, and vulnerabilities discovered by, or reported to, Cribl that are not in another CNA’s scope. (USA)
Hackrate Kft. – Vulnerabilities that are discovered, validated, and coordinated through the Hackrate Ethical Hacking Platform, including: software, web applications, APIs, and cloud services; vulnerabilities validated and triaged by our internal security team; and findings disclosed under our coordination that are not in another CNA’s scope. (Hungary)
JupiterOne, Inc. – All JupiterOne open source and commercial products. (USA)
NIBE Group – Products, services, and solutions developed or sold by NIBE Industrier AB or any of its subsidiaries; open-source projects owned by NIBE Industrier AB or any of its subsidiaries; vulnerabilities in third-party products used by NIBE Industrier AB or any of its subsidiaries which are outside the scope of another CNA; and subsidiaries of NIBE Industrier AB are listed on https://www.nibe.com. (Sweden)
Vantive – Vantive’s commercially available products only. (USA)

JPCERT/CC:

Fujifilm Business Innovation Corp. – Fuji Xerox and FUJIFILM Business Innovation products such as multifunction devices, printers, production printers, software, and cloud services. (Japan)
Nintendo Co., Ltd. – System vulnerabilities regarding the Nintendo Switch 2, Nintendo Switch, Nintendo Switch Lite, and vulnerabilities regarding Nintendo Switch 2 and Nintendo Switch applications for which Nintendo is the publisher worldwide. (Japan)

MITRE TL-Root:

Acer Inc. – Acer issues only. (Taiwan)
Bombadil Systems LLC – Vulnerabilities in third-party software discovered by Bombadil Systems that are not in another CNA’s scope. (USA)
ByteDance, Ltd. – ByteDance issues only. (China)
Canva – All Canva products, including open-source software published and maintained by Canva, as well as vulnerabilities in third-party software discovered by Canva that are not in another CNA’s scope. (Australia)
Cygence Pty Ltd – Issues in third-party products identified by, or reported, to Cygence, unless covered by the scope of another CNA. (Australia)
DTEX Systems, Inc. – All DTEX products, including DTEX Forwarder for Mac, DTEX Forwarder for Linux, DTEX Forwarder for Windows, and DTEX platform including DTEX Analytics Server. (USA)
Project Black – Vulnerabilities discovered by Project Black that are not within another CNA’s scope. (Australia)
TCL Electronics Holdings Limited – TCL smart TV, smart pad, and mobile phone devices only. Projects listed on https://github.com/TclSecLab/CNA/blob/main/README_EN.md. (China)
Vestel Electronics Industry & Trade Co. – Vestel-owned brands and products only. (Türkiye)

Red Hat Root:

The HDF Group – All HDF software including HDF5, HDF4, HSDS, HDFView. (USA)
Turan Security – Vulnerabilities discovered through independent research conducted by TuranSec to products and projects that are not CNAs themselves. (Uzbekistan)

500+ Organizations Now Participating as CNAs!

As of March 31, 2026, the CVE Program achieved a major milestone of 502 organizations from around the world participating as CNAs in the CVE Program: 499 CNAs and 3 CNAs of Last Resort (CNA-LR). In 2016, the CVE Program (with only 23 CNAs) adopted a strategy to federate the publication of CVE Records by partnering with additional CNAs. Since then, 479 additional organizations (as of the date of this milestone) have partnered with the CVE Program as CNAs and, as a result, the CVE List surpassed the 300,000+ CVE Records milestone in 2025. CNAs are vendor, researcher, open source, CERT, hosted service, bug bounty provider, and consortium organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. Contact information and other partner details for CNAs are available on the List of Partners page.

Ongoing Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records

The CVE Program publicly recognizes those CNAs that are actively providing enhanced vulnerability data in their CVE Records. The “CNA Enrichment Recognition List,” published monthly, recognizes CNAs that provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information based upon a monthly data pull of the previous six months.

The recognition list was published on January 5 with 263 CNAs recognized, February 2 with 256 CNAs recognized, and March 2 with 256 CNAs recognized.

CNA Enrichment Recognition List criteria and reporting are intended to recognize those CNAs taking on the work to increase the value of CVE Records for downstream consumers, and encourage others to do the same. Enrichment Recognition List criteria may change over time. The most recent modifications occurred in June 2025 when data pulls were moved from every two weeks and based upon data from the last 12 months to the current reporting of once-per-month data pulls based upon data from the previous six months. Future changes to the ERL qualification criteria and reporting may occur over time as the CVE Program continually aims to recognize those CNAs taking on the work to increase the value of CVE Records for downstream consumers, and encourage others to do the same.

CVE Podcast — “CVE Record Disputes Explained”

In this episode of the “We Speak CVE” podcast, MITRE’s CVE™ and CWE™ Project Lead Alec Summers chats with Yves Younan of Cisco, Alex Kreilein of Qualys, Pedro Sampaio of Red Hat, and Anthony Singleton of the MITRE Top-Level Root, about the CVE Record dispute process. Topics include how the dispute policy came to exist and the two types of CVE Record disputes; a walk-through of the process for disputing a CVE Record, including what steps to take and what to expect; why some disputes persist indefinitely; whether all CVE Record disputes need to be resolved; why some disputes remaining visible to the downstream consumer is healthy; an overview of how the CVE Record Dispute Policy was created and how it continues to updated over time; how the CVE Program continuously seeks community input on the dispute process; and more. Read the companion blog article here.

Supplier CNA as Authorized Data Publisher Pilot (SADP Pilot)

In March, the CVE Program announced that it would be conducting a “Supplier CVE Numbering Authority (CNA) as Authorized Data Publisher Pilot (SADP Pilot)” from April 2026 through July 2026 to explore how CVE Records might be made more valuable to the downstream consumer by enabling product suppliers with the ability to publish authoritative product status information directly within CVE Records of upstream vulnerabilities, helping reduce unnecessary investigation and enabling more efficient vulnerability management workflows. Visit the SADP Pilot Repository on GitHub, or read the initial announcement, “Supplier ADP Pilot — CVE Program to Explore Benefits of Supporting VEX-like, Product Status Information in Upstream CVE Records.”

CVE Program Normalizes Formatting of Date/Time Fields Across Historical CVE Records

The CVE Program normalized the formatting of date/time fields across historical CVE Records from February 16-26, 2026. As initially announced on January 6, 2026, the purpose of this maintenance was to update older CVE Records so their date/time values use the same standardized ISO 8601 UTC format already in place for records published or updated since February 2025:

yyyy-MM-ddTHH:mm:ss.sssZ (ISO-8601, UTC)

For example: 2025-07-11T19:32:03.983Z.

In total, this process updated approximately 200,000 historical CVE Records and only effected the formatting of specific date/time string fields (for example, datePublished, dateUpdated, dateReserved, dateRejected, datePublic, dateAssigned, and time values under timeline). The semantic meaning of the dates/times remains the same, and no other parts of the CVE Records were changed. Learn more here.

Community Informed About Agenda and Registration Details for CVE/FIRST VulnCon 2026

In March, the community was informed that the full agenda was now available for CVE/FIRST VulnCon 2026, that was scheduled to be held April 13-16, 2026, at the DoubleTree Resort by Hilton Hotel Paradise Valley – Scottsdale, in Scottsdale, Arizona, USA. Co-hosted by the CVE Program and FIRST, the purpose of VulnCon is to “collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem.” In January, the community was informed that registration for both in-person and virtual attendance was now open.

39,080 CVE Records Used as Basis for the “2025 CWE Top 25 Most Dangerous Software Weaknesses List”

The 2025 CWE Top 25 Most Dangerous Software Weaknesses list was released by the Common Weakness Enumeration (CWE™) Program on December 11, 2025. The newly released list highlights the most severe and prevalent weaknesses behind the 31,770 CVE Records mapped in the 2024 dataset. The 2025 CWE Top 25 is the second year in a row where the CNA community directly contributed CWE mapping reviews within the dataset, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves. Visit the CWE Top 25 page on the CWE website to view the full 2025 CWE Top 25 List, key insights, methodology, etc.

Q1 CY 2026 Metrics

Metrics for Q1 CY 2026 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.

Published CVE Records

As shown in the table below, CVE Program production was 15,176 CVE Records for Q1 CY 2026. This is a 19% increase from the 12,796 records published in Q4 CY 2025. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs).

Year	2026
Quarter	Q1
CVE Records Published by All CNAs	15,176

Reserved CVE IDs

The CVE Program tracks reserved CVE IDs. As shown in the table below, 21,530 CVE IDs were in the “Reserved” state in Q1 CY 2026, a 39% increase over the 15,479 IDs reserved in Q4 CY 2025. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs.

Year	2026
Quarter	Q1
CVE IDs Reserved by All CNAs	21,530

CVE IDs Reserved/CVE Records Published Quarterly Trend by CY

Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the Metrics page.

Note that in the chart above the Q2-2025 spike in Reserved IDs was the result of community concern around a potential gap in funding, and the Q1-2026 spike in Reserved IDs due to increase in AI-driven vulnerability discovery and requests, as the whole ecosystem is experiencing a rapid increase in demand.

CNA Partners Grow the CVE List

All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the three CNA-LRs, within their own specific scopes.

CNAs partner with the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 517 organizations (514 CNAs and 3 CNA-LRs) from 43 countries and 1 no country affiliation are partners with the CVE Program.

Learn how to become a CNA or contact one of the following to start the partnering process today:

CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope

CERT@VDE Root: Organizations that are cooperative partners of CERT@VDE
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope

MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website

ENISA Root: European Union (EU) member states/EU authorities, EU CSIRT’s network members, and cooperative partners under ENISA’s mandate as well as other CNAs who choose ENISA as their Root
Google Root: Alphabet organizations
INCIBE Root: Spain organizations
JPCERT/CC Root: Japan organizations
Red Hat Root: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better
Thales Group Root: Products and technologies of subsidiaries of Thales Group

Comments or Questions?

If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form (choose “General Support”).

We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!

Share this CVE article:

https://medium.com/@cve_program/cve-program-report-for-quarter-1-calendar-year-q1-cy-2026-ddf638377bdc

CVE Numbering Authorities (CNAs)

2 3 Additional Organizations Added as CNAs

As of March 1, 2026 to May 31, 2026, twenty-three (23) additional organizations from around the world have partnered with the program as CNAs:

Acer Inc. – Acer issues only. (Taiwan)
Airlock by Ergon – Airlock issues only: Airlock SaaS, Airlock Identity and Access Management (IAM), Airlock Gateway, and Airlock Microgateway. (Switzerland)
BAE Systems, Inc. – All products of BAE Systems. (USA)
Bombadil Systems LLC – Vulnerabilities in third-party software discovered by Bombadil Systems that are not in another CNA’s scope. (USA)
Canva – All Canva products, including open-source software published and maintained by Canva, as well as vulnerabilities in third-party software discovered by Canva that are not in another CNA’s scope. (Australia)
Cloud Security Alliance – Vulnerabilities in software developed and maintained by the Cloud Security Alliance (github.com/CloudSecurityAlliance/*). (USA)
Computer Incident Response Center Luxembourg (CIRCL) – Vulnerability assignment related to vulnerability coordination in Luxembourg, which may include reports on software, products, hardware, or services submitted to CIRCL in its role as the national authority for vulnerability coordination in Luxembourg and within the CSIRTs network. (Luxembourg)
Cribl, Inc. – Vulnerabilities identified in Cribl products, and vulnerabilities discovered by, or reported to, Cribl that are not in another CNA’s scope. (USA)
Cygence Pty Ltd – Issues in third-party products identified by, or reported, to Cygence, unless covered by the scope of another CNA. (Australia)
Entrust Corporation – All products under the following brand names: Entrust, Datacard, Entrust Datacard, nCipher, Onfido, Hytrust, SafeLayer, Antelop, Evidos, SMS Passcode. (USA)
Fujifilm Business Innovation Corp. – Fuji Xerox and FUJIFILM Business Innovation products such as multifunction devices, printers, production printers, software, and cloud services. (Japan)
Fsas Technologies – Fsas Technologies (a Fujitsu company) in the Europe/EMEA region only. (Germany)
GVision Italia S.r.l. – Vulnerabilities affecting EU-certified and EU-hardened firmware, software components, and related services distributed and maintained by GVision Italia. This includes firmware variants modified, certified, and maintained by GVision Italia for the European market; associated software components, configuration tools, and update mechanisms under GVision Italia responsibility; and, public-facing services and portals operated by GVision Italia related to device management and security. This scope explicitly excludes products or firmware versions not modified or maintained by GVision Italia. (Italy)
Hologic, Inc. – Hologic products. (USA)
OpenAI – Vulnerabilities in OpenAI installed software including desktop apps, mobile apps, and SDKs only. (USA)
Orange Cyberdefense – Orange Cyberdefense branded products and technologies, unless embedded component or software covered by the scope of another CNA; as well as vulnerabilities in third-party software discovered by Orange Cyberdefense that are not in another CNA’s scope. (France)
Quanta Computer, Inc. – Quanta Computer PSIRT products and services only. (Taiwan)
Snowflake – Snowflake products, including those of its subsidiaries, and vulnerabilities in third-party software that are discovered by, or reported to, Snowflake that are not within another CNA’s scope. (USA)
Synopsys, Inc. – All Synopsys products and technologies only. (USA)
The HDF Group – All HDF software including HDF5, HDF4, HSDS, HDFView. (USA)
Thinkst Applied Research – Thinkst Applied Research’s products only. (South Africa)
Turan Security – Vulnerabilities discovered through independent research conducted by TuranSec to products and projects that are not CNAs themselves. (Uzbekistan)
Ygreky SASU – All Ygreky products and infrastructure, and vulnerabilities discovered by, or reported to, Ygreky that are not covered by the scope of another CNA. (France)

CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

There are currently 517 CNAs (514 CNAs and 3 CNA-LRs) from 43 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.

Vulnerability Data Enrichment for CVE Records: 261 CNAs on the Enrichment Recognition List for May 4, 2026

The “CNA Enrichment Recognition List” for May 4, 2026, is now available with 261 CNAs listed. Published monthly on the CVE website, the list recognizes those CVE Numbering Authorities (CNAs) that are actively providing enhanced vulnerability data in their CVE Records. CNAs are added to the list if they provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) in at least 98% of their records that were published within two weeks of their most recently published record.

CNA Enrichment Recognition List criteria and reporting are intended to recognize those CNAs taking on the work to increase the value of CVE Records for downstream consumers, and encourage others to do the same. Enrichment Recognition List criteria may change over time. The most recent modifications occurred in June 2025 when data pulls were moved from every two weeks and based upon data from the last 12 months, to the current reporting of once-per-month data pulls based upon data from the previous six months.

For more about the recognition list, see “Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records.” To learn more about vulnerability information types like CVSS and CWE, see the CVE Record User Guide. View the most current CNA Enrichment Recognition List on the CVE website Metrics page here.

CNA Enrichment Recognition List for May 4, 2026, with 261 CNAs listed:

2N Telekomunikace a.s.
Acronis International GmbH
Adobe Systems Incorporated
Advanced Micro Devices Inc.
Airbus
AlgoSec
Alibaba, Inc.
Altera
Altium
Amazon
AMI
ARC Informatique
Arista Networks, Inc.
Asea Brown Boveri Ltd.
ASR Microelectronics Co., Ltd.
ASUSTeK Computer Incorporation
ASUSTOR Inc.
ATISoluciones Diseño de Sistemas Electrónicos, S.L.
Austin Hackers Anonymous
Autodesk
Automotive Security Research Group (ASRG)
Axis Communications AB
BeyondTrust Inc.
Bitdefender
Black Duck Software, Inc.
Black Lantern Security
BlackBerry
Brocade Communications Systems LLC, a Broadcom Company
CA Technologies
Canon Inc.
Canonical Ltd.
Carrier Global Corporation
Cato Networks
CERT.PL
CERT@VDE
Check Point Software Technologies Ltd.
Checkmk GmbH
Cisco Systems, Inc.
Citrix Systems, Inc.
CODRA
Commvault Systems Inc
Concrete CMS
ConnectWise LLC
Crafter CMS
CrowdStrike Holdings, Inc.
Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Dahua Technologies
Dassault Systèmes
Delinea, Inc.
Dell EMC
Delta Electronics, Inc.
Digi International Inc.
Docker Inc.
dotCMS LLC
Dragos, Inc.
Eclipse Foundation
Elastic
EnterpriseDB Corporation
Environmental Systems Research Institute, Inc. (Esri)
Ericsson
Erlang Ecosystem Foundation
ESET, spol. s r.o.
EU Agency for Cybersecurity (ENISA)
Everpure, Inc.
Extreme Networks, Inc.
F5 Networks
Fedora Project (Infrastructure Software)
Fermax Technologies SLU
Financial Security Institute (FSI)
Flexera Software LLC
floragunn GmbH
Fluid Attacks
Forcepoint
Fortinet, Inc.
Fortra, LLC
Foxit Software Incorporated
FPT SOFTWARE CO., LTD
Gallagher Group Ltd
Gen Digital Inc.
Genetec Inc.
GeoVision Inc.
GitHub (maintainer security advisories)
GitHub Inc, (Products Only)
GitLab Inc.
Glyph & Cog, LLC
Google Cloud
Google LLC
Gridware Cybersecurity
Hackrate Kft.
HackRTU
Hallo Welt! GmbH
Hanwha Vision Co., Ltd.
Harborist
HashiCorp Inc.
HeroDevs
HiddenLayer, Inc.
Hillstone Networks Inc.
Hitachi Energy
Hitachi Vantara
Hitachi, Ltd.
Honeywell International Inc.
HP Inc.
Huawei Technologies
HYPR Corp
ICS-CERT
Insyde Software
Intel Corporation
Internet Systems Consortium (ISC)
Intigriti
Israel National Cyber Directorate
Ivanti
Jamf
JetBrains s.r.o.
JFROG
Johnson Controls
JPCERT/CC
Juniper Networks, Inc.
Kaspersky
KNIME AG
KrakenD, S.L.
KrCERT/CC
Kubernetes
Larry Cashdollar
Legion of the Bouncy Castle Inc.
Lenovo Group Ltd.
Lexmark International Inc.
M-Files Corporation
Maritime Hacking Village
Mattermost, Inc
Mautic
Medtronic
Microchip Technology
Microsoft Corporation
Milestone Systems A/S
Mitsubishi Electric Corporation
Monash University - Cyber Security Incident Response Team
MongoDB
Moxa Inc.
N-able
National Cyber Security Centre Finland
National Cyber Security Centre SK-CERT
National Instruments
NEC Corporation
Neo4j
NETGEAR
Netskope
Nozomi Networks Inc.
Nutanix
Nvidia Corporation
Omnissa, LLC
OMRON Corporation
Open Design Alliance
OpenHarmony
OpenJS Foundation
OpenText (formerly Micro Focus)
OpenVPN Inc.
OTRS AG
Palantir Technologies
Palo Alto Networks
Pandora FMS
PaperCut Software Pty Ltd
Patchstack OÜ
Payara
Pegasystems
Pentraze Cybersecurity
Perforce
PHP Group
Ping Identity Corporation
PostgreSQL
Progress Software Corporation
Project Black
Proofpoint Inc.
Protect AI
PTC Inc.
QNAP Systems, Inc.
Qualcomm, Inc.
Qualys, Inc.
Radiometer Medical ApS
rami.io GmbH
Rapid7, Inc.
Real-Time Innovations, Inc.
Red Hat CNA-LR
Ribose Limited
Robert Bosch GmbH
Rockwell Automation
runZero, Inc.
S21sec Cyber Solutions by Thales
SailPoint Technologies
Samsung TV & Appliance
SAP SE
SBA Research gGmbH
Schneider Electric SE
SCHUTZWERK GmbH
Secomea
Security Risk Advisors
ServiceNow
SICK AG
Siemens
Sierra Wireless Inc.
Silicon Labs
Snowflake
Snyk
Softing
SoftIron
SolarWinds
Solidigm
Sonatype Inc.
Spanish National Cybersecurity Institute, S.A.
Spartans Security
Suse
Switzerland National Cyber Security Centre (NCSC)
Symantec - A Division of Broadcom
Synaptics
Synology Inc.
Talos
Tanium Inc.
TCS-CERT
TeamViewer Germany GmbH
Temporal Technologies Inc.
Tenable Network Security, Inc.
Teradyne Robotics
Thales Group
The Browser Company of New York
The Document Foundation
The Missing Link Australia (TML)
The Qt Company
The Tcpdump Group
The Wikimedia Foundation
TianoCore.org
Toreon
TP-Link Systems Inc.
TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
Trellix
Trend Micro, Inc.
Turan Security
TWCERT/CC
TYPO3 Association
upKeeper Solutions
Vaadin Ltd.
Vivo Mobile Communication Technology Co., LTD.
VulDB
VulnCheck
VULSec Labs
WatchGuard Technologies, Inc.
Western Digital
Wiz, Inc.
wolfSSL Inc.
Wordfence
WSO2 LLC
Xerox Corporation
Yandex N.V.
Yokogawa Group
Yugabyte, Inc.
Zabbix
Zephyr Project
Zero Day Initiative
Zohocorp
Zoom Video Communications, Inc.
Zscaler, Inc.
ZUSO Advanced Research Team (ZUSO ART)
Zyxel Corporation

Share this CVE article:

https://medium.com/@cve_program/vulnerability-data-enrichment-for-cve-records-261-cnas-on-the-enrichment-recognition-list-for-may-40c285eebd82

Community

Videos from CVE/FIRST VulnCon 2026 Now Available

Videos of fifty sessions from CVE/FIRST VulnCon 2026 are now available on the FIRST Channel on YouTube and the CVE Program Channel on YouTube. The purpose of VulnCon is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem.

The following conference videos are available:

Please like or comment on the videos on the CVE Program Channel on YouTube.

Keeping Up with CVE

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

CVE™ is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2026, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Council of Roots, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.