Q1 2026 · 58 PreCVE Detections Confirmed

Eliminate the
40-Day Disclosure Chasm.

VulNow identifies verified vulnerabilities in your software supply chain an average of 6.6 days before they appear in public CVE feeds, before the attacker window opens. We call these Dark Matter Vulnerabilities™: security flaws that exist in production code, invisible to every CVE-based tool but exploitable by attackers.

Start Predictive Pilot Program Access PreCVE Data Feed
Q1 2026 PreCVE Confirmation Data
58
Q1 PreCVE Detections
6.6d
Avg Lead Time
154d
Max Lead Time (axios)
13.2B
Monthly Downloads Covered
The Problem

Dark Matter Vulnerabilities™

The fix is in the code. The advisory is not. That gap (hours, days, or months wide) is where breaches happen and where CVE-based tools go blind.

Definition

Dark Matter Vulnerabilities™ are security flaws that exist in open source packages after a maintainer silently pushes a fix, but before any CVE or advisory is published. They are invisible to every scanner that relies on CVE feeds. Attackers can reverse-engineer the fix and begin exploiting unpatched systems immediately. Defenders have no signal, no patch notice, and no indication of exposure. VulNow detects these vulnerabilities in the pre-disclosure window and surfaces them as PreCVEs.

Vuln Identified

Maintainer discovers security-relevant bug in dependency

Silent Patch Committed

Fix pushed to repo. No CVE filed, no advisory issued

Releases Unprotected

Prior versions remain vulnerable. CVE scanners show all-clear.

Threat Actor Window

Attacker reverse-engineers patch, scans for exposed systems

CVE Published

Defenders finally receive signal, often weeks or months later

40d

CVE records take an average of 40 days to publish after ID assignment. 80% of exploits are published before the corresponding CVE is officially released (Unit 42, 2024). 23.6% of CVEs added to CISA's KEV catalog were already being weaponized on or before the day the CVE was disclosed (VulnCheck, 2024).

15m
Attacker scan start after CVE announcement
12h
Avg time defenders identify exposed systems
5d
Mean time to exploitation in 2025 (Mandiant)
16d
Avg time to patch a critical vulnerability

A 16-day patching window against a 5-day exploitation window is not a security posture. VulNow moves the signal before the chasm begins.

Q1 2026 Production Data

58 Verified PreCVE Detections

Every detection below was confirmed by a subsequently published CVE. Production intelligence from the first full quarter of VulNow operation.

#PackageLead TimePreCVE IDCVESeverityStatus
1axios154d 15hVULNOW-2025-00485CVE-2026-39865MediumConfirmed
2react-router93d 16hVULNOW-2025-00050CVE-2025-61686CriticalConfirmed
3authlib26dVULNOW-2026-01604CVE-2026-28802CriticalConfirmed
4authlib14d 5hVULNOW-2026-02264CVE-2026-28498HighConfirmed
5rollup3d 57mVULNOW-2026-01711CVE-2026-27606CriticalConfirmed
6aiohttp4d 2hVULNOW-2026-02808CVE-2026-34518MediumConfirmed
7minimatch1d 10hVULNOW-2026-01829CVE-2026-27903HighConfirmed
8cryptography1d 18hVULNOW-2026-02735CVE-2026-34073MediumConfirmed
9undici1d 14mVULNOW-2026-02472CVE-2026-1527MediumConfirmed
10django14mVULNOW-2026-01584CVE-2026-1285HighConfirmed

Showing 10 of 58 confirmed Q1 detections · 28 packages · npm + PyPI · 13.2B combined monthly downloads

View all 58 detections →
~2.22B
Downloads during axios PreCVE window
154d 15h lead time
~616M
Downloads during react-router window
93d 16h lead time
~109M
Downloads during authlib window
26d lead time
Download Full Q1 2026 Report (PDF, 3.2 MB)
Why CVE Feeds Are Not Enough

The Numbers Behind the Blind Spot

80%

Exploits precede CVE publication

80% of exploits are published before the corresponding CVE is officially released, with an average lead of 23 days (Unit 42, State of Exploit Development, 2024).

23.6%

Already weaponized at disclosure

CVEs added to CISA's Known Exploited Vulnerabilities catalog were already being weaponized on or before the day the CVE was publicly disclosed (VulnCheck, 2024).

52%

VulNow detections arrived 24h+ early

More than half of all Q1 2026 PreCVE detections arrived more than a full day before public CVE disclosure. Two arrived over a month early.

EU Cyber Resilience Act
✓ CRA-Ready Intelligence

PreCVE Intelligence Meets EU Regulatory Reality

The EU Cyber Resilience Act mandates that manufacturers of products with digital elements actively identify, document, and address vulnerabilities, including those not yet publicly disclosed. CVE-based tooling alone cannot satisfy this requirement.

VulNow's PreCVE intelligence directly addresses the CRA's requirements for proactive vulnerability handling, giving EU-regulated organizations a defensible, documented advantage over the silent fix window.

With hard deadlines in September 2026 and December 2027, organizations that have not established proactive vulnerability intelligence programs are already behind.

Proactive Vulnerability Identification

CRA Article 13 requires manufacturers to identify and document vulnerabilities including those discovered before public disclosure. PreCVEs satisfy this before the CVE exists.

SBOM Hypercare

CRA mandates software bill of materials transparency. VulNow enriches your SBOM data with real-time PreCVE risk signals your components carry before any CVE exists.

Empirical Severity for Regulated Environments

Standard CVE scoring underweights distribution scale. VulNow's empirically refined severity (Tier 2 plan) provides defensible risk classification for regulated product portfolios.

Two Ways to Use VulNow

Defend Your Stack, or Embed PreCVE in Your Product

Whether you're protecting your own software supply chain or shipping next-generation security tooling, PreCVE intelligence opens new categories of detection.

For CISOs, AppSec leads & product security teams

Defend Your Software Supply Chain

  • PreCVE alerts for your active dependencies before public disclosure
  • Prioritize remediation before CVE noise and alert fatigue begins
  • Reduce exposure window on foundational packages like react, axios, django
  • Severity calibrated to your real download exposure, not generic CVSS
  • Shift from reactive triage to proactive patching with a measurable lead time advantage
Start Predictive Pilot Program
For AppSec scanners, WAF, SIEM, XDR & platform vendors

Embed PreCVE in Your Product

  • Surface Dark Matter Vulnerabilities™ alongside known CVEs in SAST, SCA, and dependency scanning
  • Pre-disclosure detection rules for WAF, EDR, SIEM, and SOAR, deployable to customers before patches exist
  • Enriched data: CWE, introduction point, affected PURLs, fix versions, reachability, call chains
  • Differentiate with detection capability competitors cannot replicate from CVE feeds alone
  • Integration-ready feed with documented schemas and partner support
Access PreCVE Data Feed
See intelligence tiers →
Intelligence & Research

From the VulNow Team

Original research on software supply chain risk, PreCVE intelligence, and the data behind modern vulnerability management.

April 15, 2026

VulNow Q1 2026: 58 PreCVE Detections Confirmed

First full quarter of production PreCVE intelligence: 58 verified detections across 28 packages and 13.2 billion monthly downloads, with average lead time of 6.6 days.

Read article ›
April 2, 2026

The $60 Billion Problem Nobody's Fixing: Why Package Registries Keep Getting Hacked

A data-driven investigation into why 83% of supply chain attacks could have been prevented, and why the solution that already exists remains ignored.

Read article ›
Team

Built by People Who've Lived This Problem

Cassie Crossley

Cassie Crossley

CEO & Co-Founder

Author of Software Supply Chain Security (O'Reilly). Former VP of Supply Chain Security at Schneider Electric (a €38B global enterprise), where she led product security and cyber resilience programs across complex international supply chains. Internationally recognized speaker and authority on vulnerability management, product risk, and EU regulatory compliance. Board director at Cybeats.

O'Reilly Author30+ years security leadershipSchneider Electric VPEU CRA expertiseQTE designation
Valerio Mulas

Valerio Mulas

CTO & Co-Founder

20+ years in security, cloud architecture, DevOps, and resilient infrastructure across regulated and mission-critical environments. Built and secured large-scale production systems in Banking and Fintech using AWS, Kubernetes, IaC, and CI/CD automation. Leads VulNow's technical platform, translating deep engineering expertise into scalable predictive vulnerability intelligence.

20+ years security engineeringCloud architectureDevSecOpsBanking & Fintech
Predictive Pilot Program

Don't Wait for the CVE.
Get the Signal First.

Join VulNow's Predictive Pilot Program. Receive live PreCVE detections for your dependency stack, or integrate our intelligence feed into your security platform.

Apply for Pilot Program PreCVE Data Feed Inquiry

Contact: info@vul.now · Netherlands-based · Serving EU & US markets