Vulnerability Data by Technology
CVE counts for popular web frameworks and technologies (2023-2025)
Data sourced from CVE databases and security advisories. Used to estimate the average number of vulnerabilities per software component per year.
CVE Data
| Component | 2025 | 2024 | 2023 | Avg | Source |
|---|---|---|---|---|---|
| Node.js | 6 | 15 | 27 | 16.00 | link |
| React | 2 | 3 | 3 | 2.67 | - |
| jQuery | 2 | 2 | 4 | 2.67 | - |
| Next.js | 9 | 7 | 1 | 5.67 | link |
| Express | 4 | 4 | 0 | 2.67 | - |
| Angular | 2 | 0 | 1 | 1.00 | - |
| .NET Core | 1 | 0 | 2 | 1.00 | - |
| Vue.js | 2 | 1 | 1 | 1.33 | - |
| ASP.NET | 1 | 0 | 0 | 0.33 | - |
| Flask | 0 | 1 | 1 | 0.67 | link |
| Spring Boot | 16 | 22 | 19 | 19.00 | link |
| Django | 9 | 15 | 7 | 10.33 | link |
| WordPress | 3 | 7 | 7 | 5.67 | link |
| Overall Average | 5.31 |
Caveats
- Quick search for CVEs - not exhaustive
- Only CVEs counted, not all security advisories
- Some data sourced via ChatGPT (in line with expectations but may not be completely accurate)
- Web libraries shown - relevant for CRA scope, but embedded device data harder to find
Still provides a reasonable estimate for expected vulnerabilities per year per component.
Source: StackOverflow 2024 Survey - Web frameworks and technologies