Log in
This directory aggregates every publicly disclosed vulnerability (CVE) by the vendor whose products it affects. Each vendor page shows CVE counts, CISA KEV totals, severity breakdowns, the most-affected products, common weakness types, and the latest disclosures. The top vendors by CVE volume are shown below; every tracked vendor — over 58,000 — has its own page and is indexed for search.
Understand what a CVE is, how it maps to a vendor, and how the counts and CISA KEV signals on these pages are computed.
A vendor vulnerability page brings together every publicly disclosed security flaw — known as a CVE, or Common Vulnerabilities and Exposures — that affects a particular software vendor. Instead of searching a flat catalog of hundreds of thousands of CVEs, you can see the whole vulnerability history of a single vendor in one place: how many CVEs exist, how severe they are, which products are most affected, and which have been confirmed as exploited in the wild.
The underlying data comes from the CVE Program, a community effort operated by MITRE and sponsored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). RadicalNotion.AI aggregates those records by affected vendor and layers on severity, CISA KEV, and public-exploit signals so the picture is complete and prioritized.
A CVE is a single, uniquely identified vulnerability — for example, CVE-2024-12345 — in a specific product or set of products. Each CVE record lists the affected products and the vendors who make them. We read those affected-product entries and associate the CVE with each named vendor, which is how a CVE ends up counted on a vendor page.
A single CVE can affect more than one vendor (for instance, a shared open-source library bundled by several products), so the same CVE may appear on multiple vendor pages. That is expected and reflects how the vulnerability propagates across the software supply chain.
A vendor's CVE count is the number of distinct published CVE records that name that vendor among their affected products. We count by a normalized vendor key, so different casings or spellings of the same vendor — for example, "Microsoft" and "microsoft" — are grouped into a single page rather than fragmenting the count.
Only published CVE records are counted; reserved or rejected entries are excluded. Severity counts use the CVSS base score band (critical, high, medium, low) recorded on each CVE.
CISA's Known Exploited Vulnerabilities (KEV) catalog is a list of CVEs that have been confirmed as actively exploited in the wild. A CVE in the KEV catalog carries a federal remediation deadline and should generally be prioritized above CVEs of equal CVSS severity. The KEV count on a vendor page tells you how many of that vendor's CVEs carry this real-world exploitation signal.
A public-exploit signal indicates that working exploit code for a CVE is publicly available. Together with KEV, it helps defenders separate the vulnerabilities most likely to be attacked from the long tail of theoretical issues.
CVE records are authored by many different organizations, and vendor names are entered as free text. As a result, the same vendor can appear with different casing, punctuation, or aliasing across records. We normalize the vendor key to merge obvious casing variants, but distinct spellings supplied by the data source may still resolve to separate pages.
Only the top vendors by CVE volume are listed on the directory page above. Every tracked vendor — over 58,000 — has its own page, which is indexed for search and reachable directly by URL and via the sitemap.
The software vendors with the most published CVE records.
Vendors with the most CVEs confirmed exploited in the wild.
Showing 250 of 250 vendors