1,025 CVEs

13 in CISA KEV

f5 Vulnerabilities

CVE security advisories and vulnerability history for f5.

1,025

Total CVEs

Published

13

In CISA KEV

Exploited in the wild

68

Public exploits

With known exploit

7.3

Avg CVSS

2002–2026

Overview

f5 has 1,025 published CVE records since 2002, of which 13 are in CISA's Known Exploited Vulnerabilities catalog and 68 have a known public exploit. The average CVSS base score across scored CVEs is 7.3.

This page aggregates every publicly disclosed vulnerability (CVE) affecting f5 products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of f5's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical21

High232

Medium115

Low7

650 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

13

13 of f5's CVEs are confirmed exploited in the wild.

Public exploits

68

68 of f5's CVEs have a known public exploit available.

Most affected products

The f5 products with the most published CVEs.

big-ip access policy manager589 CVEs
big-ip application security manager540 CVEs
big-ip advanced firewall manager513 CVEs
big-ip local traffic manager502 CVEs
big-ip policy enforcement manager494 CVEs
big-ip link controller486 CVEs
big-ip application acceleration manager485 CVEs
big-ip analytics472 CVEs

Common weakness types

The CWE weakness categories most often found in f5 CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish f5 CVE records.

Disclosure activity by year

How many f5 CVEs were published each year.

2019

154

2020

125

2021

86

2022

132

2023

62

2024

52

2025

81

2026

65

Latest f5 CVEs

The most recently disclosed vulnerabilities affecting f5.

NGINX ngx_http_rewrite_module vulnerability
CWE-122
Critical · CVSS 9.2
EPSS 0.2%2026-05-22
NGINX JavaScript vulnerability
CWE-122
Critical · CVSS 9.2
EPSS 0.1%2026-05-19
NGINX ngx_http_proxy_v2_module vulnerability
CWE-172
Medium · CVSS 6.3
EPSS 0.0%2026-05-13
NGINX ngx_quic_module vulnerability
CWE-290
Medium · CVSS 6.9
EPSS 0.0%2026-05-13
NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability
CWE-823
High · CVSS 8.3
EPSS 0.1%2026-05-13
NGINX ngx_http_charset_module vulnerability
CWE-125
Medium · CVSS 6.3
EPSS 0.0%2026-05-13
NGINX ngx_http_rewrite_module vulnerability
CWE-122
Critical · CVSS 9.2
EPSS 0.9%2026-05-13
NGINX ngx_http_ssl_module vulnerability
CWE-416
Medium · CVSS 6.3
EPSS 0.0%2026-05-13
BIG-IP SIP profile vulnerability
CWE-770
High · CVSS 8.7
EPSS 0.1%2026-05-13
Appliance mode iControl REST vulnerability
CWE-35
High · CVSS 8.7
EPSS 0.0%2026-05-13
Appliance mode iControl REST vulnerability
CWE-35
Medium · CVSS 6.9
EPSS 0.6%2026-05-13
BIG-IP DNS Cache vulnerability
CWE-824
High · CVSS 8.7
EPSS 0.1%2026-05-13

Track new f5 CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor f5 CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

juniper1,082 CVEs D-Link1,068 CVEs mediatek1,040 CVEs vmware1,036 CVEs org.jenkins-ci.plugins1,025 CVEs joomla963 CVEs Google Inc.960 CVEs MediaTek, Inc.957 CVEs

Browse all vendors

Frequently asked questions

Common questions about f5 vulnerabilities.

How many CVEs does f5 have?

f5 has 1,025 published CVE records since 2002, including 146 in the last two years.

How many f5 CVEs are in CISA KEV?

Yes — 13 of f5's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which f5 products have the most CVEs?

The f5 products with the most published CVEs are big-ip access policy manager, big-ip application security manager, big-ip advanced firewall manager, big-ip local traffic manager, big-ip policy enforcement manager.

What are the most common weakness types in f5 CVEs?

f5's CVEs most often map to these CWE weakness types: CWE-400 (Uncontrolled Resource Consumption), CWE-476 (NULL Pointer Dereference), CWE-20 (Improper Input Validation), CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')).

Are there public exploits for f5 vulnerabilities?

Yes — 68 of f5's CVEs have a known public exploit.

How many critical f5 vulnerabilities are there?

f5 has 21 critical and 232 high-severity CVEs.

What is the average severity of f5 CVEs?

The average CVSS base score across f5's scored CVEs is 7.3.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track f5 vulnerabilities

Monitor new f5 vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing