FIRST raises 2026 vulnerability forecast to 66,000 CVEs

FIRST has raised its 2026 vulnerability disclosure forecast to about 66,000 CVEs after a mid-year update from the incident response and security body.

Common Vulnerabilities and Exposures disclosures are running 46.3% above the level projected earlier this year, with 6,420 more CVEs recorded through April than expected under the previous model.

That would put 2026 close to 70,000 published vulnerabilities, up from a February median forecast of 59,427, and mark a historic high in annual disclosure volume.

Researchers behind the forecast said the rise does not point to a broad deterioration in software quality. Instead, they attributed it to changes in how flaws are found and reported.

The main factors were AI-assisted vulnerability discovery, a 449% year-on-year rise in GitHub Security Advisory volume, and a 3,119% increase in activity from VulnCheck as a CVE Numbering Authority handling previously unassigned vulnerabilities.

The report also found that the number of distinct software products with tracked vulnerabilities has grown by two orders of magnitude, increasing the workload for security teams even where exploitability levels remain stable.

Risk picture

Despite the jump in raw disclosures, the volume of vulnerabilities posing immediate practical risk has not risen at the same pace. FIRST measured that narrower set using entries in the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog and vulnerabilities with Exploit Prediction Scoring System scores above 10%.

That distinction matters for companies deciding how to allocate staff and patching effort. Security teams using exploitability-based triage methods should not need to increase headcount in line with total CVE volumes, the organisation said.

"We're witnessing a major shift in the vulnerability landscape, not because software is suddenly less secure, but because our collective ability to find flaws has been structurally transformed," said Éireann Leverett, FIRST Liaison and lead member of FIRST's Vulnerability Forecasting Team.

"The challenge for defenders is no longer the discovery of vulnerabilities; it's the capacity to verify, coordinate, and prioritize them at a scale the industry has never seen before."

Jerry Gamblin, a co-author of the forecast, described the trend as a filtering problem rather than a counting exercise.

"In 2026, the rain doesn't stop. The job is no longer counting the drops. It's knowing which ones will overrun the levee," said Jerry Gamblin, co-author of the forecast and FIRST EPSS SIG member.

"That is exactly what exploitability overlays are designed to help teams do."

AI effect

FIRST linked part of the rise directly to AI-assisted bug-hunting tools, which it said are helping researchers identify flaws in older code bases more quickly. As one example, it pointed to a 164% rise in first-quarter CVE disclosures from the Mozilla CNA, attributing that increase to AI-assisted tooling used against the Firefox engine.

The forecast suggests security teams are entering a period in which automated discovery on the defensive side may be matched by faster exploit development from attackers. That prospect is likely to sharpen attention on patching speed and tools that help prioritise fixes.

FIRST urged organisations to rethink security budgets around growth in software estates, adopt exploitability overlays such as EPSS and the CISA catalog, and prepare for a higher patching workload. It also called on companies to use defensive AI tools to help reduce remediation times.

The update compared actual CVE publication data from January to April 2026 with the earlier annual forecast. The model used daily publication counts from January 2020 through the end of April 2026 and incorporated exploitability data from the CISA KEV catalog and EPSS scoring.

FIRST, founded in 1990, brings together incident response and security teams from more than 850 corporations, government bodies, universities, and other institutions across 118 countries. It said the scale of current vulnerability reporting makes information sharing and coordinated response more important as disclosure volumes continue to rise.

"No organization can solve this all alone, which is precisely why FIRST exists," said Chris Gibson, Chief Executive Officer of FIRST.

"The teams that will weather the vulnerability storm of 2026 are the ones with trusted networks already in place, who are sharing intelligence and are coordinating response before any crises hit. That's the work happening in Denver this week."