The Cohort
Hugo has zero total CVEs. HTMX has zero critical CVEs. Astro has zero critical CVEs. SvelteKit has zero critical CVEs. These are not obscure experiments — they are production frameworks running on some of the world's most-visited websites. And in WebPulse's July 2026 census of the Tranco top 10,000, every one of them grew its market share.
Hugo nearly doubled its share — from 0.47% in May 2025 to 0.88% in July 2026. Astro grew from 1.86% to 2.24%. HTMX, the HTML-attribute library with a 14KB footprint, grew from 0.27% to 0.33%. Combined, the zero-CVE cohort's share rose from 3.2% to 4.1% of all detected frameworks in the top 10K.
Why Zero CVEs Is Not an Accident
Hugo is a static site generator written in Go. It compiles Markdown to HTML at build time. There is no runtime, no server process, no plugin system, no database connection. The deployed output is flat files served by a CDN. The attack surface is the CDN's, not Hugo's. This is why Hugo's CVE count is zero — not because nobody looked, but because there is nothing to find.
HTMX follows the same principle from a different direction. It is 14KB of JavaScript that extends HTML with AJAX attributes. It does not manage state, run on the server, handle authentication, or process uploads. Business logic stays on the server where security controls already exist. The client does presentation. Presentation does not generate CVE classes.
Astro ships zero JavaScript by default. Islands of interactivity are opt-in. The default output is static HTML. SvelteKit compiles components to vanilla JavaScript with no runtime framework overhead. In every case, the architecture achieves security by removing capability rather than adding protection.
The Migration Signal
WebPulse tracked 2,958 domains present in both the May 2025 and July 2026 censuses. Four domains migrated from Next.js to Astro — moving from a framework with under 50 CVEs to one with zero. This is a small number in absolute terms, but the direction is significant. Organizations are not just migrating away from legacy. Some are migrating away from modern frameworks toward the simplest possible stack.
The broader context reinforces this. WordPress, with 18,253 CVEs, dropped 8 percentage points. Drupal, with over 2,500 CVEs, dropped 5.9 points. The high-traffic web is actively shedding vulnerability surface. The zero-CVE cohort is where some of that traffic is landing.
What 4.1% Means
Four percent of the top 10,000 websites may sound small. But these are frameworks that barely registered two years ago. Astro launched in 2021. HTMX's current form dates to 2020. SvelteKit reached 1.0 in 2022. They are competing against platforms with 15 to 20 years of ecosystem momentum, and they are growing faster than every legacy alternative.
The zero-CVE cohort is not a category that any vendor markets. Nobody is selling zero-CVE as a feature. It is an emergent property of architectural decisions — small footprint, no runtime, server-side logic, compilation over interpretation. The market is selecting for these properties without anyone naming them. The share growth is the signal. The zero CVE count is the mechanism.


