FIRST Mid-Year Vulnerability Forecast Confirms Historic Surge, Projects ~66,000 CVEs in 2026

AI and a rapidly expanding CVE ecosystem blow past February's already-record projections by 46%, but exploitable risk remains flat

DENVER, June 15, 2026 – Today at FIRST’s 38th Annual Conference, the Forum of Incident Response and Security Teams (FIRST) released its 2026 Mid-Year Vulnerability Forecast, revealing that actual CVE disclosures are already running 46.3% above the projections published just four months ago.

A mid-year reassessment shows disclosures are climbing faster than initially predicted. The updated 2026 forecast now projects approximately ~66,000 CVEs for the full year, up from the February median of 59,427, marking the first time in history that annual vulnerability disclosures are on pace to approach 70,000. The surge reflects more aggressive security research and better reporting practices, not a decline in software security itself.

“We’re witnessing a major shift in the vulnerability landscape, not because software is suddenly less secure, but because our collective ability to find flaws has been structurally transformed,” said Éireann Leverett, FIRST Liaison and Lead Member of FIRST’s Vulnerability Forecasting Team. “The challenge for defenders is no longer the discovery of vulnerabilities; it’s the capacity to verify, coordinate, and prioritize them at a scale the industry has never seen before.”

Key Findings from FIRST’s 2026 Mid-Year Vulnerability Forecast

  • Cumulative drift of +46.3% above the February forecast, with 6,420 excess CVEs recorded through April 2026
  • Revised 2026 projection of ~66,000 CVEs, up from the February median of 59,427
  • Three structural drivers of this increase include AI-assisted vulnerability discovery, a 449% year-over-year surge in GitHub Security Advisory (GHSA) volume, and a 3,119% increase in VulnCheck CNA-of-Last-Resort activity, absorbing a large unassigned vulnerability backlog
  • Actionable exploitability remains flat: when filtered for real-world risk (CISA KEV entries or EPSS scores above 10%) the patching burden has not materially increased, despite the surge in raw volume
  • The number of distinct software products with tracked vulnerabilities has grown by two orders of magnitude, driving workload independent of AI or CNA changes

FIRST's forecasting team calls this the "Rain vs. Flood" distinction. Total CVE volume is up, but vulnerabilities that are actively exploited or credibly exploitable have not risen at the same rate. For security teams, this means the playbook hasn't changed. Organizations using EPSS and the CISA KEV catalog to triage can manage exposure without scaling headcount proportionally to raw CVE volume.

“In 2026, the rain doesn't stop. The job is no longer counting the drops. It's knowing which ones will overrun the levee,” said Jerry Gamblin, co-author of the forecast and FIRST EPSS SIG member. “That is exactly what exploitability overlays are designed to help teams do.”

AI-Assisted Discovery Reshapes the Vulnerability Landscape

Artificial intelligence is a key driver of the discovery surge. AI-assisted bug hunting tools have accelerated identification of legacy software flaws—illustrated by a 164% spike in Q1 CVE disclosures from the Mozilla CNA, directly attributable to AI-assisted tooling running against the Firefox engine.

The coming race between AI-accelerated exploit generation and AI-accelerated patch generation will be one of the defining security dynamics of late 2026. Organizations need to move fast before adversarial AI matures.

Four Steps to Navigate the 2026 Vulnerability Surge

With a record-breaking year confirmed in the data, FIRST recommends organizations:

  • Reframe budget conversations around software growth: The growth in asset diversity is driving heavy workloads more than any single news cycle.
  • Adopt exploitability overlays immediately: EPSS and CISA KEV remain the most effective triage tools available to separate signal from noise at scale
  • Plan for a doubled patching workload: Software maintainers should expect live-system patching volume to remain more stable through the end of 2026.
  • Lean into defensive AI tooling now: The same capabilities driving the CVE surge can also find and fix vulnerabilities faster, compressing Mean Time to Remediate (MTTR).

“No organization can solve this all alone, which is precisely why FIRST exists,” said Chris Gibson, CEO of FIRST. “The teams that will weather the vulnerability storm of 2026 are the ones with trusted networks already in place, who are sharing intelligence and are coordinating response before any crises hit. That’s the work happening in Denver this week.”

Methodology

The FIRST 2026 Mid-Year Vulnerability Forecast compares January–April 2026 actual CVE publication data against the February 2026 baseline forecast using an ExponentialSmoothing model trained on daily publication counts from January 2020 through April 30, 2026. Exploitability data is sourced from the CISA KEV catalog (1,587 entries as of May 1, 2026) and EPSS scores (329,934 CVEs scored as of May 1, 2026). Full methodology, live data reports, and Python scripts are available at: https://github.com/jgamblin/FirstForecast.

Also available in PDF

About FIRST

FIRST aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all. Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from more than 850 corporations, government bodies, universities and other institutions across 118 countries in the Americas, Asia, Europe, Africa, and Oceania. For more information and to see the full calendar of events, visit: FIRST.Org.

Connect with FIRST on social media via GitHub, LinkedIn, Mastodon, X and YouTube.