Q1 2026 marks VulNow's first full quarter of production PreCVE intelligence. Across 28 open source packages with a combined 13.2 billion monthly downloads, VulNow confirmed 58 detections before public CVE disclosure, with lead times ranging from 14 minutes to 154 days. Average lead time: 6.6 days.
Download Full Report (PDF, 3.2 MB)
Executive summary
Most security programs are blind until a CVE exists. VulNow eliminates that blind spot. In Q1 2026, VulNow identified 58 verified vulnerabilities before public CVE disclosure across a subset of open source packages representing 13.2 billion monthly downloads. Every detection was later confirmed by a published CVE.
These detections were not isolated to niche components. They occurred in widely deployed libraries including axios, react, django, authlib, undici, lodash, and cryptography, foundational dependencies across modern software systems.
This report provides the first production evidence of PreCVE detection at scale. The dataset reflects only a portion of packages currently under analysis as ingestion and validation pipelines scale.
The core finding
Vulnerabilities in widely used open source packages are often discoverable before any CVE is published. The fix exists in the code. The advisory does not. Security teams scanning CVE feeds have no signal to act on during this window. Attackers, however, do not rely on CVE publication to identify exploitable conditions. VulNow operates in that gap.
The exploitation race
When a CVE is published, two clocks start simultaneously. Palo Alto Networks' Cortex Xpanse team found that attackers begin scanning for vulnerable systems within 15 minutes of a CVE announcement. Organizations take an average of 12 hours to identify which systems are exposed. The average time to patch a critical vulnerability is 16 days. Mandiant's analysis found a mean time to exploitation of 5 days in 2023, down from 63 days in 2018.
A 16-day average patching window against a 5-day average exploitation window is not a security posture. It is an assumption that attackers will select other targets during the interim.
The silent fix dynamic
The 154-day axios detection illustrates the underlying mechanism. Maintainers fix security bugs. They do not always file CVEs immediately, and coordinated disclosure processes frequently run on timelines measured in months. During that window, some users update organically and receive the fix without ever knowing a vulnerability existed. Most users do not. CVE-based security tools have no signal to surface.
This is not an edge case. It is a structural feature of how open source security maintenance works in practice. Unit 42's analysis found that 80% of exploits are published before the corresponding CVE is officially released. VulnCheck's 2024 analysis confirmed that 23.6% of CVEs added to CISA's KEV catalog were already being weaponized on or before the day the CVE was publicly disclosed.
Lead time distribution
| Window | Count | Share |
|---|---|---|
| More than 30 days | 2 | 3% |
| 1 day to 30 days | 28 | 48% |
| 1 hour to 24 hours | 23 | 40% |
| Under 1 hour | 5 | 9% |
Download exposure: what was at stake
During the 154-day axios detection window, approximately 2.22 billion downloads of axios occurred while CVE-based scanners had nothing to flag. React-router: ~616 million downloads across 93 days. Authlib: ~109 million across 26 days. Combined across all 28 monitored packages: approximately 13.2 billion downloads per month.
Severity correlation
Two detections rated Critical by VulNow resolved to Critical CVEs, an exact match. In some cases, VulNow rated detections higher than the eventual CVE score, reflecting how standard CVE scoring systematically underweights impact for packages with very high distribution. At 500 million or 1 billion monthly downloads, a vulnerability that scores Moderate in isolation carries a materially different risk profile in practice.
Summary statistics
| Metric | Value |
|---|---|
| PreCVE detections confirmed | 58 |
| Average lead time | 6.6 days |
| Packages covered | 28 |
| Combined monthly downloads | ~13.2 billion |
| Maximum lead time | 154 days 15h (axios, CVE-2026-39865) |
| Detections with more than 1 day lead time | 30 of 58 (52%) |
| Packages with most confirmed CVEs | authlib, aiohttp, svelte, undici (5 each) |
This is an early but meaningful signal of what becomes possible when vulnerability discovery shifts from reactive to predictive. We are just beginning to scale.