PURL was built to identify open-source packages, something CPE never did well.
Where it landed in the CVE feed: about 2% of 2026 CVEs. NVD and CISA backfill missing CPEs, cutting the no-ID pile from 75% to 41%, but they add zero PURLs, because NVD has no PURL field.
PURL is thriving in OSV, GitHub advisories, and SBOM tools. It just never made it into the pipeline everyone triages from.
This week I posted that attackers exploit memory corruption and injection far more than common web bugs
A vivid example from this week's CVE disclosures: Foxit disclosed 28 CVEs for its PDF Editor in one release. 26 of 28 are memory-safety bugs. 15 are use-after-free.
All patched. But memory safety in a file parser is exactly the bug class attackers target.
How severe are the bugs that actually get exploited?
Every CVE on CISA's KEV list, by CVSS v3 and weakness class. The median is 8.8.
Code execution rides the ceiling (median 9.8). Memory corruption sits a notch lower (median 8.8). Almost nothing is "medium."
The bugs you see most are not the bugs that get exploited.
I mapped every CVE on CISA's list of exploited vulnerabilities to its corresponding CWE. What attackers actually use: memory corruption and injection.
XSS is the most common bug on the internet, and it barely shows up.
Stop triaging by bug class.
The 10 most common CWEs and the CVSS scores they get: memory corruption and injection highest (stack overflow median 8.5, OS command injection 7.8), high-volume web classes lower (XSS 6.4, CSRF 5.4).
But every one of the 10 has vulnerabilities in the same 6.3 to 7.1 band. The class does not tell you the severity.
A CVSS score is not a fact about a bug. It is an opinion with a decimal point.
13 orgs scored XSS: averages range from 3.4 to 6.7, mostly because VulDB sits at the bottom. The biggest reason is not the metric people argue about (Scope); it is whether an XSS leaks data at all. That one call is worth ~1.4 points, double Scope.
For years, MITRE, the nonprofit that runs the CVE program, was its #1 issuer almost every month. Not anymore.
GitHub has been #1 every month of 2026. MITRE has slid to about #7.
GitHub Security Advisories are now the #1 CVE issuer (6,801). VulnCheck climbed to #3 (VulDB 🛡sits #2). The people assigning CVEs changed in 2026: platforms, ecosystems, and research CNAs now set the pace. High counts reflect scope, not padding.
https://t.co/51xisNLHIY
H1 2026: 35,364 CVEs. More than any full year before 2024. One every 7.4 minutes, +49.5% YoY.
But only 85 (0.24%) are on CISA's KEV list so far. We're drowning in CVEs while confirmed exploitation stays rare. That gap is the whole game.
Review + Code: https://t.co/51xisNLHIY
💙 Sapphire Friends of BSides Porto!
A huge THANK YOU to @JGamblin for joining the Friends of BSides Porto program as a Sapphire Donor. Your support helps us keep BSides Porto community-driven, accessible, and growing every year.
#bsidesporto#event#community#hacking#porto
Saw the glowing green ad during a World Cup and immediately played the guessing game:
1. Trillion-dollar AI startup 🤖
2. New EV car brand 🚗
3. Sketchy crypto exchange 📉
...
100. Lactose-free milk 🥛
Never let them know your next move, dairy industry. ⚽️🐄
📈 @FIRSTdotOrg's 2026 Mid-Year Vulnerability Forecast is live! CVE disclosures are running 46.3% above projections — putting the industry on pace for ~66,000 CVEs this year.
🔗 Read more: https://t.co/cP0ouNN7uw
#cybersecurity#FIRSTCON26#infosec
Launching LycosAI today.
The wilderness is encroaching. We are holding the line.
Deploying autonomous wolf packs at prefecture scale to secure the rural perimeter where legacy systems have failed.
https://t.co/VXPADekDXC
The government just released documents of astronauts seeing 'flashing lights' and 'particles' on the Moon. At this point, you either have to admit aliens exist or admit the moon landing was shot in a basement in Nevada. There is no middle ground. 🛸👨🚀
I'm bad at golf. But I'm good at data visualization. So I built this: a self-hosted @Garmin R10 analytics dashboard with club analysis, gapping tables, carry tracking, and AI coaching recommendations. All from your own data.
🔗 https://t.co/4zL5VfAhKn