FIRST Mid-Year Vulnerability Forecast Confirms Historic Surge, Projects ~66,000 CVEs in 2026

The Forum of Incident Response and Security Teams (FIRST) released its 2026 Mid-Year Vulnerability Forecast, revealing actual CVE disclosures are running 46.3% above projections from four months ago, with a revised full-year projection of approximately 66,000 CVEs. The surge is driven by AI-assisted vulnerability discovery, a 449% year-over-year increase in GitHub Security Advisory volume, and a 3,119% increase in VulnCheck CNA-of-Last-Resort activity, though actionable exploitability remains flat.

FIRST Mid-Year Vulnerability Forecast Confirms Historic Surge, Projects ~66,000 CVEs in 2026 AI and a rapidly expanding CVE ecosystem blow past February's already-record projections by 46%, but exploitable risk remains flat DENVER, June 15, 2026 – Today at FIRST’s 38th Annual Conference https://www.first.org/conference/2026/ , the Forum of Incident Response and Security Teams FIRST https://www.first.org released its 2026 Mid-Year Vulnerability Forecast https://www.first.org/blog/20260615-vulnerability-forecast-update , revealing that actual CVE disclosures are already running 46.3% above the projections published just four months ago. A mid-year reassessment shows disclosures are climbing faster than initially predicted. The updated 2026 forecast now projects approximately ~66,000 CVEs for the full year, up from the February median of 59,427 https://www.first.org/newsroom/releases/20260211 , marking the first time in history that annual vulnerability disclosures are on pace to approach 70,000. The surge reflects more aggressive security research and better reporting practices, not a decline in software security itself. “We’re witnessing a major shift in the vulnerability landscape, not because software is suddenly less secure, but because our collective ability to find flaws has been structurally transformed,” said Éireann Leverett https://www.linkedin.com/in/%C3%A9ireann/ , FIRST Liaison and Lead Member of FIRST’s Vulnerability Forecasting Team. “The challenge for defenders is no longer the discovery of vulnerabilities; it’s the capacity to verify, coordinate, and prioritize them at a scale the industry has never seen before.” Key Findings from FIRST’s 2026 Mid-Year Vulnerability Forecast Cumulative drift of +46.3% above the February forecast, with 6,420 excess CVEs recorded through April 2026 Revised 2026 projection of ~66,000 CVEs , up from the February median of 59,427 Three structural drivers of this increase include AI-assisted vulnerability discovery, a 449% year-over-year surge in GitHub Security Advisory GHSA volume, and a 3,119% increase in VulnCheck CNA-of-Last-Resort activity, absorbing a large unassigned vulnerability backlog Actionable exploitability remains flat : when filtered for real-world risk CISA KEV entries or EPSS scores above 10% the patching burden has not materially increased, despite the surge in raw volume The number of distinct software products with tracked vulnerabilities has grown by two orders of magnitude , driving workload independent of AI or CNA changes FIRST's forecasting team calls this the "Rain vs. Flood" distinction. Total CVE volume is up, but vulnerabilities that are actively exploited or credibly exploitable have not risen at the same rate. For security teams, this means the playbook hasn't changed. Organizations using EPSS and the CISA KEV catalog to triage can manage exposure without scaling headcount proportionally to raw CVE volume. “In 2026, the rain doesn't stop. The job is no longer counting the drops. It's knowing which ones will overrun the levee,” said Jerry Gamblin https://www.linkedin.com/in/jgamblin/ , co-author of the forecast and FIRST EPSS SIG member. “That is exactly what exploitability overlays are designed to help teams do.” AI-Assisted Discovery Reshapes the Vulnerability Landscape Artificial intelligence is a key driver of the discovery surge. AI-assisted bug hunting tools have accelerated identification of legacy software flaws—illustrated by a 164% spike in Q1 CVE disclosures from the Mozilla CNA, directly attributable to AI-assisted tooling running against the Firefox engine. The coming race between AI-accelerated exploit generation and AI-accelerated patch generation will be one of the defining security dynamics of late 2026. Organizations need to move fast before adversarial AI matures. Four Steps to Navigate the 2026 Vulnerability Surge With a record-breaking year confirmed in the data, FIRST recommends organizations: Reframe budget conversations around software growth : The growth in asset diversity is driving heavy workloads more than any single news cycle. Adopt exploitability overlays immediately : EPSS and CISA KEV remain the most effective triage tools available to separate signal from noise at scale Plan for a doubled patching workload : Software maintainers should expect live-system patching volume to remain more stable through the end of 2026. Lean into defensive AI tooling now : The same capabilities driving the CVE surge can also find and fix vulnerabilities faster, compressing Mean Time to Remediate MTTR . “No organization can solve this all alone, which is precisely why FIRST exists,” said Chris Gibson https://www.linkedin.com/in/cjpgibson/ , CEO of FIRST. “The teams that will weather the vulnerability storm of 2026 are the ones with trusted networks already in place, who are sharing intelligence and are coordinating response before any crises hit. That’s the work happening in Denver this week.” Methodology The FIRST 2026 Mid-Year Vulnerability Forecast compares January–April 2026 actual CVE publication data against the February 2026 baseline forecast https://www.first.org/blog/20260211-vulnerability-forecast-2026 using an ExponentialSmoothing model trained on daily publication counts from January 2020 through April 30, 2026. Exploitability data is sourced from the CISA KEV catalog 1,587 entries as of May 1, 2026 and EPSS scores 329,934 CVEs scored as of May 1, 2026 . Full methodology, live data reports, and Python scripts are available at: https://github.com/jgamblin/FirstForecast https://github.com/jgamblin/FirstForecast . Also available in PDF https://www.first.org/newsroom/releases/FIRST-Press-Release-20250627.pdf About FIRST FIRST aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all. Founded in 1990, the Forum of Incident Response and Security Teams FIRST consists of internet emergency response teams from more than 850 corporations, government bodies, universities and other institutions across 118 countries in the Americas, Asia, Europe, Africa, and Oceania. For more information and to see the full calendar of events, visit: FIRST.Org https://www.first.org/ . Connect with FIRST on social media via GitHub https://github.com/FIRSTdotorg , LinkedIn https://www.linkedin.com/company/firstdotorg , Mastodon https://infosec.exchange/@firstdotorg , X https://twitter.com/FIRSTdotOrg and YouTube https://www.youtube.com/c/FIRSTdotorg . Mon, 15 Jun 2026 00:00:00 +0000