Next Article in Journal
Electrochemical Synthesis of Ortho- and Para-Hydroxybenzoic Acids Using CO2: Experimental and Simulation-Based Optimization
Previous Article in Journal
From Manual to Intelligence: Enhancing Electricity Meter Accuracy Using Computer Vision
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Engineering Proceedings
Volume 128
Issue 1
10.3390/engproc2026128033
engproc-logo
Submit to this Journal
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Proceeding Paper

Common Vulnerabilities and Exposure Data Analysis and Visualization: Building Cybersecurity Awareness and Validating Risks †

by
Chin-Ling Chen
1,
Zhen-Hong Peng
1,
Ling-Chun Liu
2,* and
Chin-Feng Lee
3
1
Department of Computer Science and Information Engineering, Chaoyang University of Technology, Taichung 413310, Taiwan
2
Department of Information and Communication Engineering, Chaoyang University of Technology, Taichung 413310, Taiwan
3
Department of Information Engineering and Computer Science, Feng Chia University, Taichung 407102, Taiwan
*
Author to whom correspondence should be addressed.
Presented at 2025 IEEE International Conference on Computation, Big-Data and Engineering (ICCBE), Penang, Malaysia, 27–29 June 2025.
Eng. Proc. 2026, 128(1), 33; https://doi.org/10.3390/engproc2026128033
Published: 13 March 2026
Browse Figures
Versions Notes

Abstract

Cybersecurity vulnerabilities are rapidly increasing, but public understanding and awareness remain limited. Since most vulnerabilities are common, they continue to exist and to be exploited. Although there are tools, including the Open Worldwide Application Security project and the common weakness enumeration method, that provide extensive information on known security problems, their information is not structured and visually shown. The tools are ineffective in speed assessment and response. We analyzed large-scale common vulnerabilities and exposures JavaScript object notation datasets to recognize key threats, to understand the underlying cause of data breaches, and to analyze vulnerability trends. Implementing keyword gate-filling techniques and better data visualization enhances the clarity and usefulness of vulnerability information. These tools enable stakeholders to make quicker and more informed decisions and implement stronger encryption and defensive measures. Finally, the results of this study lead to broad awareness, active security, and a reactive strategy to evolving cyber threats that simplifies both governmental and average-day user recognition and response to emerging attack patterns and risks across digital platforms.

1. Introduction

To understand publicly disclosed vulnerabilities, the Common Vulnerabilities and Exposures (CVE) database is used. It provides a comprehensive collection of known vulnerabilities [1,2]. Various reports allow users to assess the impact and severity of these vulnerabilities, enabling organizations to evaluate their own systems, prevent errors [3], and raise cybersecurity awareness. Each CVE entry is assigned a unique identifier [4], which facilitates easier querying and comparison. Additionally, the Common Vulnerability Scoring System (CVSS) is used to quantify the severity of vulnerabilities, making risk assessment more comparable and verifiable [5]. Vulnerabilities are also categorized in detail using the Common Weakness Enumeration (CWE), which helps developers understand the root causes and possible remediation approaches for each issue [6].
However, while CVE provides descriptions and CVSS scores to quantify risks, the vast amount of data overwhelms developers in understanding vulnerabilities, making it difficult to prioritize which ones to address first [2]. To mitigate this, the Open Worldwide Application Security Project (OWASP) Organization released the first OWASP Top 10 report in 2003. This report is regularly updated based on aggregated vulnerability data from security firms and institutions, identifying the most common and impactful vulnerabilities worldwide [7,8]. Although the primary objective of CWE is to define a common standard for software weaknesses, it also utilizes the Known Exploited Vulnerabilities (KEV) catalogue to highlight CVEs that have been actively exploited, culminating in the CWE Top 10 KEV Weaknesses list [5].
Although the KEV weaknesses of the Top 10 OWASP and CWE Top 10 provide important risk reference points [5,9], they still fall short in terms of educational and comprehension support for developers and engineers with limited cybersecurity awareness [6,10]. These reports often lack additional materials that can help developers build a solid understanding of risks effectively, and do not offer real-time insights into emerging vulnerability trends and potential threats. As a result, it becomes challenging for developers to stay informed about key security issues and changes in the threat landscape.
This study aims to consolidate recent trends in software vulnerabilities by analyzing a large number of open-source JSON files from the CVE database. A keyword-driven filtering and parsing approach is adopted to improve the efficiency of retrieving related entries. The data were analyzed and quantified to generate visual trend charts for the public to easily read and identify high-risk vulnerabilities, raise awareness about cybersecurity, and serve educational purposes.

2. Methods

2.1. Visualization

As the scale and complexity of the data continue to grow, simple text and tables are no longer sufficient for rapid analysis and decision-making. In information security, particularly in vulnerability management and risk assessment, a gap exists between theoretical frameworks, such as CVE, CWE, and CVSS, and their practical implementation. Without a proper integration method, critical information can easily be overlooked.
Visualization technologies transform complex and abstract data into intuitive graphics and charts, thereby improving data readability and enabling the recognition of trends [11]. Through visualization, developers can quickly comprehend the data and make informed decisions in a short period of time [12,13].
Applying visualization to CVE data integrates information from CWE and CVSS, enabling developers and engineers to rapidly identify trends and adjust their responses accordingly. The graphic representation of these data enhances operational efficiency and significantly contributes to cybersecurity awareness and education. Visualization is more than just a support method; it is a vital technology in an era overwhelmed by vast volumes of security-related information [14].
We utilized the CVE JSON database provided by the National Vulnerability Database (NVD), focusing on CVE records published between 2021 and May 2025. The data were processed and analyzed through an automated program, with the overall workflow illustrated in Figure 1. The automated program targets the following fields for processing.
  • cve_id
  • cwe_id
  • cvssScore (CVSS V3.1/V4)
  • publishedDate (Published Date)
  • Fields with missing data or inconsistent formatting are processed and excluded accordingly.

2.2. Data Analysis

By analyzing the number of CVEs published each year, the average CVSS score, and the associated CWE identifiers, we observed whether the quantity and frequency of vulnerabilities showed an upward trend. CVSS scores were used to assess risk levels and examine the distribution trends of CVSS scores.
  • Trend Analysis: Changes in the number of CVEs;
  • Category Distribution: Statistics and classification of CWE type;
  • High-Risk Distribution: CVSS > 7.

3. Results

3.1. Descriptive Statistics

In this study, we performed a visual analysis of the CVE vulnerability data, focusing on three main aspects: trend changes, distribution of weakness types, and high-risk distributions. As shown in Figure 2, the time series analysis reveals a yearly increase in the number of CVEs, indicating a growing potential threat to information systems. This highlights the need for more evidence-based cybersecurity education and awareness to enhance risk awareness.
The data serves as a foundation for enterprises and organizations to plan developer training, establish security education programs, and formulate security policies based on the evolving threat landscape, thus improving overall defense capabilities (Figure 3).

3.2. Correlation Insights

In Figure 2, the number of CVEs shows a year-over-year increase. Common vulnerabilities were identified with the statistical results presented in Figure 3, revealing the main CWE weaknesses: Cross-site Scripting (CWE-79), Improper Privilege Management (CWE-269), SQL Injection (CWE-89), and Denial of Service (CWE-400). These types of vulnerability account for more than 50% of the data.
To better understand the severity of these risks, a cross-analysis was conducted to examine the frequency of high-risk CVSS scores and the distribution of common weaknesses in CWE (Figure 4 and Figure 5). Vulnerability CVSS scores were higher than 7, highlighting their frequency of occurrence and corresponding CWE types. The results show that high-risk vulnerabilities continued to constitute a significant proportion of the total CVEs in 2024.
Regarding the CWE distribution, the types of weakness most commonly associated with high-risk CVSS scores were identified. These types had a high severity level and involved underlying execution control and resource access, posing critical threats to system security. Additionally, application-layer vulnerabilities, such as cross-site scripting (CWE-79), although more common, have shown a notable increase in high-risk occurrences, indicating that developers still have room for improvement in their practical implementation.
The findings of this analysis provide a reference for practical defense measures and training programs. Enterprises and organizations must prioritize vulnerability detection and mitigation strategies based on the types of CWEs corresponding to high-risk vulnerabilities. For new developers and cybersecurity professionals, this type of visual statistical analysis enhances their ability to recognize vulnerability categories and risk levels, effectively improving their overall sensitivity and response capability in system security design.

4. Conclusions

Using an automated program, we organized the CVE database, transforming a large volume of complex and difficult-to-understand vulnerability data into visualized representations that highlight trends, category classifications, and risk levels. This approach effectively helps developers understand risk trends and enables enterprises and organizations to focus resources on addressing issues that genuinely threaten system stability and data confidentiality. It also fosters attention to cybersecurity education and can serve as important teaching material in security training.
However, challenges remain due to inconsistent formatting in the large CVE JSON dataset, such as missing complete CVSS scores or varying CWE annotations, which affect the comprehensiveness and accuracy of the final statistical results. Therefore, it is necessary to incorporate artificial intelligence or alternative methods beyond CVSS scoring to more accurately express the actual exploitability and severity of vulnerabilities. By automating risk prediction and enhancing data processing efficiency and accuracy, an interactive visualization platform can be developed to enable users to freely explore the data, thereby improving the practicality of cybersecurity education, risk awareness, and decision support.

Author Contributions

Conceptualization, C.-L.C. and Z.-H.P.; Methodology, C.-L.C. and Z.-H.P.; Software, Z.-H.P.; Validation, C.-L.C., L.-C.L. and C.-F.L.; Formal analysis, Z-H P., L.-C.L. and C.-F.L.; Investigation, Z.-H.P.; Resources, Z.-H.P.; Data curation, L.-C.L. and C.-F.L.; Writing—original draft preparation, Z.-H.P.; Writing—review and editing, C.-L.C., L.-C.L. and C.-F.L.; Supervision, C.-L.C., L.-C.L. and C.-F.L.; Project administration, C.-F.L.; Funding acquisition, L.-C.L. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by the National Science and Technology Council (NSTC), Taiwan, under NSTC Grant numbers: NSTC 114-2410-H-262-003.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data are contained within the article.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Chen, Z.; Zhang, Y.; Chen, Z. A Categorization Framework for Common Computer Vulnerabilities and Exposures. Comput. J. 2010, 53, 551–580. [Google Scholar] [CrossRef]
  2. Angelini, M.; Blasilli, G.; Catarci, T.; Lenti, S.; Santucci, G. Vulnus: Visual vulnerability analysis for network security. IEEE Trans. Vis. Comput. Graph. 2019, 25, 183–192. [Google Scholar] [CrossRef] [PubMed]
  3. Okutan, A.; O’Rourke, D.; Harer, J. Empirical Validation of Automated Vulnerability Curation and Characterization. IEEE Trans. Softw. Eng. 2023, 49, 3241–3260. [Google Scholar] [CrossRef]
  4. Hong, H.; Woo, S.; Choi, E.; Choi, J.; Lee, H. xVDB: A High-Coverage Approach for Constructing a Vulnerability Database. IEEE Access 2022, 10, 85050–85063. [Google Scholar] [CrossRef]
  5. Bennouk, K.; Mahouachi, D.; Ait Aali, N.; El Bouzekri El Idrissi, Y.; Sebai, B.; Faroukhi, A.Z. Dynamic Data Updates and Weight Optimization for Predicting Vulnerability Exploitability. IEEE Access 2025, 13, 65266–65284. [Google Scholar] [CrossRef]
  6. Althar, R.R.; Samanta, D.; Kaur, M.; Singh, D.; Lee, H.-N. Automated Risk Management Based Software Security Vulnerabilities Management. IEEE Access 2022, 10, 90597–90608. [Google Scholar] [CrossRef]
  7. Brito, T.; Oliveira, J.; Silva, F.; Martins, J.; Andrade, R. Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages. IEEE Trans. Reliab. 2023, 72, 1324–1339. [Google Scholar] [CrossRef]
  8. Alazmi, S.; De Leon, D.C. A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners. IEEE Access 2022, 10, 33200–33219. [Google Scholar] [CrossRef]
  9. Chaleshtari, N.B.; Pastore, F.; Goknil, A.; Briand, L.C. Metamorphic Testing for Web System Security. IEEE Trans. Softw. Eng. 2023, 49, 3430–3471. [Google Scholar] [CrossRef]
  10. Petranović, T.; Žarić, N. Effectiveness of Using OWASP TOP 10 as AppSec Standard. In Proceedings of the 2023 27th International Conference on Information Technology (IT), Zabljak, Montenegro, 15–18 February 2023; pp. 1–4. [Google Scholar] [CrossRef]
  11. LYi, S.; Wang, Q.; Lekschas, F.; Gehlenborg, N. Gosling: A Grammar-Based Toolkit for Scalable and Interactive Genomics Data Visualization. IEEE Trans. Vis. Comput. Graph. 2022, 28, 140–150. [Google Scholar] [CrossRef] [PubMed]
  12. Chen, Q.; Cao, S.; Wang, J.; Cao, N. How Does Automation Shape the Process of Narrative Visualization: A Survey of Tools. IEEE Trans. Vis. Comput. Graph. 2024, 30, 4429–4448. [Google Scholar] [CrossRef] [PubMed]
  13. Chen, Q.; Zhu, L.; Li, X.; Wang, M.; Lin, Y. Chart2Vec: A Universal Embedding of Context-Aware Visualizations. IEEE Trans. Vis. Comput. Graph. 2025, 31, 2167–2181. [Google Scholar] [CrossRef] [PubMed]
  14. Shakeel, H.M.; Iram, S.; Al-Aqrabi, H.; Alsboui, T.; Hill, R. A Comprehensive State-of-the-Art Survey on Data Visualization Tools: Research Developments, Challenges and Future Domain Specific Visualization Framework. IEEE Access 2022, 10, 96581–96601. [Google Scholar] [CrossRef]
Engproc 128 00033 g001
Figure 1. The overview framework of the proposed method.
Figure 1. The overview framework of the proposed method.
Engproc 128 00033 g001
Engproc 128 00033 g002
Figure 2. CVE trends.
Figure 2. CVE trends.
Engproc 128 00033 g002
Engproc 128 00033 g003
Figure 3. CWE distribution.
Figure 3. CWE distribution.
Engproc 128 00033 g003
Engproc 128 00033 g004
Figure 4. CWE trends.
Figure 4. CWE trends.
Engproc 128 00033 g004
Engproc 128 00033 g005
Figure 5. High-risk distribution.
Figure 5. High-risk distribution.
Engproc 128 00033 g005
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Chen, C.-L.; Peng, Z.-H.; Liu, L.-C.; Lee, C.-F. Common Vulnerabilities and Exposure Data Analysis and Visualization: Building Cybersecurity Awareness and Validating Risks. Eng. Proc. 2026, 128, 33. https://doi.org/10.3390/engproc2026128033

AMA Style

Chen C-L, Peng Z-H, Liu L-C, Lee C-F. Common Vulnerabilities and Exposure Data Analysis and Visualization: Building Cybersecurity Awareness and Validating Risks. Engineering Proceedings. 2026; 128(1):33. https://doi.org/10.3390/engproc2026128033

Chicago/Turabian Style

Chen, Chin-Ling, Zhen-Hong Peng, Ling-Chun Liu, and Chin-Feng Lee. 2026. "Common Vulnerabilities and Exposure Data Analysis and Visualization: Building Cybersecurity Awareness and Validating Risks" Engineering Proceedings 128, no. 1: 33. https://doi.org/10.3390/engproc2026128033

APA Style

Chen, C.-L., Peng, Z.-H., Liu, L.-C., & Lee, C.-F. (2026). Common Vulnerabilities and Exposure Data Analysis and Visualization: Building Cybersecurity Awareness and Validating Risks. Engineering Proceedings, 128(1), 33. https://doi.org/10.3390/engproc2026128033

Article Metrics

Back to TopTop