Common Criteria Vulnerabilities

Common Criteria Vulnerability Tracker

Aggregate vulnerability statistics for the Common Criteria certified product ecosystem. Counts cover CVEs linked to products tracked under CCRA, EUCC, SESIP, PSA Certified, ESA, EMVCo and MIFARE. No per-product attribution on this page; sign in to NenkinTracker to drill into the specific products affected.

Updated nightly · last CVE link 2026-04-14

  • 71
    distinct CVEs tracked
  • 13
    CC certified products with CVEs
  • 0.6%
    of tracked products affected
  • 9
    distinct vendors affected

CVEs per product

Distribution of CVE counts across affected products. Most affected products have only a small number of linked CVEs; the long tail is a small set of widely-deployed components with extensive CVE history.

  • 1 CVE 6
  • 2-5 CVEs 4
  • 6-10 CVEs 1
  • 11+ CVEs 2

Affected products by Evaluation Assurance Level

CVE-affected products at each EAL. A product certified at multiple EALs is counted once for each distinct level it holds.

  • EAL2 1
  • EAL4 1

CVE-affected products by year

Year-over-year count of certified products with at least one published CVE, by the year their NenkinTracker record was last updated.

  • 2026 13

Find out which scheme has the most vulnerable certified products

Per-scheme vulnerability rankings, vendor-level CVE exposure, and full per-product attribution are available in NenkinTracker. Follow any product, vendor, or scheme and get notified the moment a new CVE is linked, a certificate changes status, or a document version updates.

  • Per-scheme CVE breakdown: which schemes have the most CVE-affected certified products
  • Per-product CVE attribution and the full CVE ID list for every affected product you follow
  • Real-time notifications when a new CVE is linked to a product or vendor on your watch list
  • CVE timeline and mitigation context per certified product
See per-scheme CVE breakdown

30-day free trial. No credit card required.

About these statistics

NenkinTracker monitors public CVE feeds (the NIST National Vulnerability Database) and links discovered vulnerabilities to Common Criteria certified products in our catalog. The aggregates above cover CVEs published against products certified under one or more of CCRA, EUCC, SESIP, PSA Certified, ESA, EMVCo and MIFARE. CVE↔product matches are reviewed before publication.

Total CVE↔product links across the catalog: 73. A single CVE may be linked to several products if those products share a vulnerable component, so this number is higher than the 71 distinct CVEs above.

More on Common Criteria →