Q1 2026 Production Data
All 58 Confirmed PreCVE Detections
Every row below is a vulnerability VulNow surfaced before its CVE was published. Lead time is the gap between VulNow's PreCVE detection and the official CVE publication date.
58
Confirmed Detections
6.6d
Avg Lead Time
154d
Max Lead Time
28
Packages
| # | Package | Lead Time | PreCVE ID | CVE | Severity |
|---|---|---|---|---|---|
| 1 | axios | 154d 15h | VULNOW-2025-00485 | CVE-2026-39865 | Medium |
| 2 | react-router | 93d 16h | VULNOW-2025-00050 | CVE-2025-61686 | Critical |
| 3 | authlib | 26d | VULNOW-2026-01604 | CVE-2026-28802 | Critical |
| 4 | authlib | 14d 5h | VULNOW-2026-02264 | CVE-2026-28498 | High |
| 5 | authlib | 14d 4h | VULNOW-2026-02262 | GHSA-7432-952r-cw78 | High |
| 6 | authlib | 14d 4h | VULNOW-2026-02261 | CVE-2026-27962 | Critical |
| 7 | authlib | 8d 6h | VULNOW-2025-00029 | CVE-2025-61920 | High |
| 8 | yaml | 4d 5h | VULNOW-2026-02644 | CVE-2026-33532 | Medium |
| 9 | aiohttp | 4d 2h | VULNOW-2026-02808 | CVE-2026-34518 | Medium |
| 10 | aiohttp | 4d 2h | VULNOW-2026-02806 | CVE-2026-34525 | Medium |
| 11 | rollup | 3d 57m | VULNOW-2026-01711 | CVE-2026-27606 | Critical |
| 12 | aiohttp | 2d 4h | VULNOW-2026-01243 | CVE-2025-69229 | Medium |
| 13 | aiohttp | 2d 4h | VULNOW-2026-01240 | CVE-2025-69226 | Medium |
| 14 | aiohttp | 2d 4h | VULNOW-2026-01241 | CVE-2025-69223 | High |
| 15 | react-router | 2d 2h | VULNOW-2026-01265 | CVE-2026-22030 | Medium |
| 16 | react-router | 2d 2h | VULNOW-2026-01255 | CVE-2026-22029 | High |
| 17 | react-router | 2d 2h | VULNOW-2026-01263 | CVE-2026-21884 | High |
| 18 | serialize-javascript | 2d 1h | VULNOW-2026-02727 | CVE-2026-34043 | Medium |
| 19 | picomatch | 1d 21h | VULNOW-2026-02683 | CVE-2026-33672 | Medium |
| 20 | picomatch | 1d 20h | VULNOW-2026-02686 | CVE-2026-33671 | High |
| 21 | cryptography | 1d 18h | VULNOW-2026-02735 | CVE-2026-34073 | Medium |
| 22 | node-tar | 1d 12h | VULNOW-2026-02378 | GHSA-9ppj-qmqm-q256 | High |
| 23 | minimatch | 1d 10h | VULNOW-2026-01829 | CVE-2026-27903 | High |
| 24 | minimatch | 1d 10h | VULNOW-2026-01835 | CVE-2026-27904 | High |
| 25 | socket.io | 1d 4h | VULNOW-2026-02550 | CVE-2026-33151 | High |
| 26 | multer | 1d 3h | VULNOW-2026-02222 | CVE-2026-3304 | High |
| 27 | multer | 1d 3h | VULNOW-2026-02221 | CVE-2026-2359 | High |
| 28 | fast-xml-parser | 1d 3h | VULNOW-2026-02529 | CVE-2026-33036 | High |
| 29 | undici | 1d 14m | VULNOW-2026-02472 | CVE-2026-1527 | Medium |
| 30 | undici | 1d 14m | VULNOW-2026-02474 | CVE-2026-2229 | High |
| 31 | undici | 23h 45m | VULNOW-2026-02473 | CVE-2026-1525 | Medium |
| 32 | undici | 23h 45m | VULNOW-2026-02475 | CVE-2026-1528 | High |
| 33 | pyjwt | 23h 31m | VULNOW-2026-02476 | CVE-2026-32597 | High |
| 34 | pyasn1 | 12h 14m | VULNOW-2026-02546 | CVE-2026-30922 | High |
| 35 | path-to-regexp | 11h 16m | VULNOW-2026-02752 | CVE-2026-4923 | Medium |
| 36 | path-to-regexp | 11h 16m | VULNOW-2026-02753 | CVE-2026-4926 | High |
| 37 | svelte | 11h 2m | VULNOW-2026-01871 | CVE-2026-27901 | Medium |
| 38 | svelte | 11h 2m | VULNOW-2026-01870 | CVE-2026-27902 | Medium |
| 39 | flask | 10h 4m | VULNOW-2026-01688 | CVE-2026-27205 | Medium |
| 40 | marshmallow | 9h 50m | VULNOW-2025-01034 | CVE-2025-68480 | Medium |
| 41 | black | 8h 23m | VULNOW-2026-02463 | CVE-2026-32274 | High |
| 42 | svgo | 5h 45m | VULNOW-2026-02326 | CVE-2026-29074 | High |
| 43 | lodash | 5h 45m | VULNOW-2026-01444 | CVE-2025-13465 | Medium |
| 44 | multer | 5h 31m | VULNOW-2026-02330 | CVE-2026-3520 | High |
| 45 | serialize-javascript | 5h 16m | VULNOW-2026-02224 | CVE-2020-7660 | High |
| 46 | svelte | 4h 48m | VULNOW-2026-01687 | CVE-2026-27119 | Medium |
| 47 | svelte | 4h 48m | VULNOW-2026-01686 | CVE-2026-27121 | Medium |
| 48 | svelte | 4h 48m | VULNOW-2026-01685 | CVE-2026-27122 | Medium |
| 49 | werkzeug | 3h 36m | VULNOW-2026-01700 | CVE-2026-27199 | Medium |
| 50 | fast-xml-parser | 1h 40m | VULNOW-2026-02616 | CVE-2026-33349 | Medium |
| 51 | lodash | 1h 40m | VULNOW-2026-02905 | CVE-2026-4800 | High |
| 52 | undici | 57m | VULNOW-2026-02471 | CVE-2026-1526 | High |
| 53 | fast-xml-parser | 43m | VULNOW-2026-02114 | CVE-2026-27942 | High |
| 54 | react | 28m | VULNOW-2026-01489 | CVE-2026-23864 | High |
| 55 | requests | 28m | VULNOW-2026-02728 | CVE-2026-25645 | Medium |
| 56 | django | 14m | VULNOW-2026-01584 | CVE-2026-1285 | High |
| 57 | django | 14m | VULNOW-2026-01585 | CVE-2025-14550 | High |
| 58 | django | 14m | VULNOW-2026-01586 | CVE-2025-13473 | Medium |
58 confirmed Q1 2026 PreCVE detections · 28 packages across npm and PyPI · 13.2B combined monthly downloads · Severity reflects post-publication CVE assessment.