.svg){kind=spacer}
June 17, 2026
In brief
FIRST’s 2026 vulnerability forecast update argues that the vulnerability landscape is undergoing a structural shift, driven by AI-assisted bug discovery, broader software growth, and expanded vulnerability cataloging. The team says reported CVE volume is running 46.3% above the original forecast, leading to a revised projection of around 68,000 CVEs for 2026. However, the article cautions against interpreting this as an immediate security crisis, because much of the increase reflects more discovery, more open-source attention, CNA expansion, and backlog processing rather than a proportional rise in urgent exploitable risk.
The central message is that defenders should focus less on raw CVE counts and more on exploitability, asset context, and operational prioritization. FIRST argues that when vulnerabilities are filtered through CISA KEV listings or higher EPSS scores, the actionable patching burden appears relatively stable despite the surge in disclosures. The article also highlights new challenges from AI-generated “ephemeral” software, which may create flaws outside traditional CVE systems, and recommends that vulnerability programs evolve with AI-assisted analysis, dynamic software inventories, runtime monitoring, and stronger processes for human analysts who remain the main bottleneck in verification, coordination, and remediation.
Source: FIRST.org
