The post says FIRST expects 2026 to be the year published CVEs pass 50,000, with a median forecast of 59,427 vulnerabilities. It also gives a very wide planning range: a 90% confidence interval from 30,012 to 117,673, and says scenarios in the 70,000–100,000 range are considered realistic enough that defenders should prepare for them, even if the most likely outcome is closer to 60,000. The article’s core point is that this is not just an academic prediction—it is meant to help security teams plan patching capacity, detection engineering workload, and coordinated vulnerability disclosure resources before the year’s vulnerability volume starts to hit.

It also explains what makes a forecast useful: not just a single number, but a range that supports real capacity planning under uncertainty. FIRST argues that organizations should think beyond raw counts over time and eventually forecast by vendor, product, and CVSS characteristics, so the data becomes more actionable against actual asset inventories. The post adds that FIRST is using a new model designed to better reflect the post-2017 shift in CVE publication trends, with wider and more realistic (including asymmetric) prediction intervals. As evidence that the method is operationally credible, it says its 2025 forecast had a 7.48% MAPE for the annual prediction and 4.96% for Q4, and it plans to publish quarterly updates during 2026 with more granular breakdowns as new data arrives.

‍

Source: https://www.first.org/blog/20260211-vulnerability-forecast-2026