In this episode of Resilient Cyber I’m joined by one of my favorite Vulnerability Researchers, Jerry Gamblin.
Jerry recently published a comprehensive 2025 CVE retrospective, which we will dive into, as well as his thoughts around trends and patterns we may see emerge in the vulnerability management landscape moving into 2026 and beyond.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Prefer to listen?
Please be sure to subscribe and leave a review!
In this episode, Jerry and I discuss:
The record setting growth of CVE’s culminating in 48,000+ CVEs in 2025 and how vulnerability prioritization is the only way through 2026 and what prioritization looks like in practice.
The outsized role of sources such as Patchstack, Wordfence and what Jerry calls the “WordPress Effect”, and why he thinks the third-party plugin ecosystem is producing so many CVEs.
How CWE-79 (Cross-Site Scripting) is topping the list with over 8,000 CVEs despite being a known vulnerability class for decades, why this is alarming and why we still fail at resolving fundamental classes of vulnerabilities despite years of mantras such as Secure-by-Design.
CVE data quality issues, such as the fact that while 90% of CVE’s have a CVSS and CWE assigned, only 57.6% have a CPE identifier and even fewer have a PURL identifier and what the downstream challenges are for practitioners due to data quality issues with CVEs.
The role of the Linux Kernel, with 3,649 CVEs, the single most of any single “product” and how this reflects transparency rather than insecurity and the false dichotomy between open source or proprietary software being more or less secure than each other.
Jerry’s efforts at RogoLabs to provide free resources for the community around all things vulnerability management.
