The Zero-CVE Cohort
WebPulse tracks CVE data from the National Vulnerability Database across 25 web frameworks. In the most recent annual collection, seven frameworks recorded zero new CVEs: Django, Laravel, Astro, Flask, FastAPI, Gatsby, and Hugo. This is not a statistical fluke. These seven frameworks span four programming languages (Python, PHP, JavaScript, Go), multiple architectural paradigms (full-stack, micro-framework, static generator), and wildly different adoption scales. What they share is more instructive than what separates them.
The obvious question is whether zero CVEs reflects genuine security or mere obscurity. The data answers that. Django powers Instagram, Mozilla, and NASA. Laravel is the dominant PHP framework by GitHub stars and community activity. Flask and FastAPI are the backbone of Python web services globally. Hugo generates sites for organizations ranging from Cloudflare to the Linux Foundation. These are not niche tools flying below the radar of security researchers. They are high-profile targets that produced no new vulnerability disclosures in the measured period.
What the Seven Share
The common trait across these frameworks is not language, age, or popularity. It is scope discipline. Each of these frameworks does one thing and delegates the rest. Django handles request routing, ORM, and templating but pushes authentication extensions, file storage, and third-party integrations into well-audited, separately maintained packages. Flask and FastAPI go further, providing minimal cores that handle HTTP and leave everything else to the developer's explicit choices. Hugo compiles Markdown to static HTML and stops. No runtime, no database, no plugin execution.
Contrast this with the CMS model. WordPress carries 18,321 CVEs. Drupal carries 1,376. Joomla carries 1,313. These platforms share a different architectural trait: they are monolithic systems with expansive plugin ecosystems where third-party code executes with the same privileges as core code. The plugin model that made CMS platforms accessible to non-developers is the same model that produces four-digit and five-digit CVE counts. Every plugin is an extension of the attack surface that core maintainers cannot fully control.
The Plugin Ecosystem Divide
The zero-CVE frameworks share a second trait: their extension models are explicit rather than ambient. When a Django developer adds functionality, they install a Python package, import it, and wire it into the application's URL configuration or middleware stack. The developer sees every dependency. The dependency does not gain automatic access to the database, the admin interface, or the file system. When a WordPress administrator installs a plugin, that plugin gains access to the entire WordPress runtime: database queries, file operations, HTTP requests, and administrative functions. The difference is not philosophical — it is mechanical, and the CVE data reflects it.
Flask's extension ecosystem illustrates the pattern well. Flask has 186 total CVEs and zero in the last year. Flask-Login, Flask-SQLAlchemy, and Flask-CORS are separate packages with separate vulnerability tracking. A CVE in Flask-SQLAlchemy does not count against Flask's core CVE record, but more importantly, it cannot compromise Flask's core request handling because the extension model enforces separation. This is the architectural boundary that CMS plugin systems lack.
Score Distribution Tells the Story
WebPulse's composite scoring model captures this architectural divide in quantitative terms. Among the zero-CVE cohort, scores range from 80 (Django, Laravel) to 100 (Hugo, Gatsby). The variation reflects differences in overall project health — community size, release cadence, AI readiness — but the security dimension is uniformly strong. Among the legacy CMS platforms, scores cluster between 25 (WordPress) and 70 (Drupal). The security dimension drags composite scores down despite active development and large contributor bases.
Astro, the newest framework in the zero-CVE cohort, scores 90 on the composite index. It launched after the architectural lessons of the CMS era were well understood. Its island architecture sends zero JavaScript to the client by default, renders pages at build time, and hydrates interactive components in isolation. The design reflects a generation of developers who watched WordPress accumulate 18,000 CVEs and asked what the minimum viable attack surface for a web framework looks like. Astro is one answer.
What This Means for Technology Selection
The seven-framework pattern does not mean these tools are invulnerable. Django has 294 total CVEs across its history. Laravel has 218. Mature frameworks accumulate vulnerability records over time. The relevant metric is trajectory: zero new CVEs in the most recent year indicates that the current codebase, at its current scale of adoption and scrutiny, is producing no new disclosed vulnerabilities. That is a qualitatively different security posture than a platform adding new CVEs quarterly.
Hugo sits at the extreme end of this spectrum with zero total CVEs across its entire NVD history, earning a WebPulse security score of 100. For organizations evaluating framework choices, the zero-CVE cohort offers a decision-relevant data point. These frameworks prove that active, widely-adopted web tools can go an entire year without a single new vulnerability disclosure. That outcome is not inevitable — it is the product of architectural decisions made early and maintained consistently. The data does not prescribe a specific framework. It identifies a pattern: scope discipline, explicit extension models, and minimal default attack surface produce measurably different security outcomes than monolithic platforms with ambient plugin privileges.
