The total number of common vulnerabilities and exposures (CVEs) disclosed in 2026 is set to romp past the 50,000 mark in 2026 and may plausibly run as high as six figures for the first time ever, according to the Forum of Incident Response and Security Teams’ (First’s) annual Vulnerability Report.
In its latest set of predictions, First said that this year, the upper bounds of its 90% confidence interval in fact approaches 118,000 CVEs, and according to the data, realistic scenarios suggest 70,000 to 100,000 disclosed vulnerabilities are “entirely possible”. The median figure for 2026, it said, would most likely be around 59,000.
First said that whatever the figure turns out to be, it underscored an “urgent need” for organisations to both scale their security ops and strategically prioritise their vulnerability response and patching practices.
“The question organisations need to ask right now is: are my people and processes ready to handle this volume, and am I prioritising the vulnerabilities that actually put my data at risk?” said Éireann Leverett, first liaison and lead member of First’s Vulnerability Forecasting Team
“Our forecast allows defenders to stop reacting to every new CVE and start making strategic decisions about where to focus limited resources before attackers exploit the gaps.
The 50,000 vulnerability question
In its 2025 report, First said that the higher end of its predicted range topped out at 50,000 CVEs – the number its analysts expect to comfortably exceed this year. This was partly due to the rapid adoption of open source software (OSS) and the use of AI tools both in vulnerability discovery During the course of the year, the emergence of the vibecoding phenomenon likely also had an impact.
In the event, First’s prediction was bang on, Leverett revealed, tipping over the upper confidence mark on 31 December 2025 for a final total of 49,972 observed CVEs, just 28 short of the magic number.
However, ideally, the upper confidence point would fall somewhere in 2026, with the median confidence point falling on New Year’s Eve, and as a result, First has reviewed its approaches and methodology going forward. Whether or not this means its 2026 forecast will be even more accurate remains to be seen.
“[Our] new method of forecasting … allows for asymmetric confidence intervals. This means we are taking into account that the publication number is more likely to exceed last year than be less than last year,” Leverett told Computer Weekly.
“So while we expect the number to be closer to 60,000, there is a 10% chance it exceed 118,000. Most of this is just statistics, but there is also discussion about emerging technologies and how they might stretch the range of possible numbers, which meant we were more comfortable publishing the results of this modelled outcome than some others.”
Next steps
While at first glance First’s annual CVE report might seem just an interesting statistical marker, the forecast serves as a potentially critical planning tool for the security sector when it comes to planning patching capacity, writing coordinated disclosures, or developing new detection signatures for SIEM, EDR or IDS platforms.
“Much like a city planner considering population growth before commissioning new infrastructure, security teams benefit from understanding the likely volume and shape of vulnerabilities they will need to process,” said Leverett.
“The difference between preparing for 30,000 vulnerabilities and 100,000 is not merely operational, it’s strategic.”
Whether they end up facing 50,000 or 100,000 CVEs and always keeping in mind that not every flaw will affect every business, security leaders at end-user organisations can start the work to get out in front of the problem right now.
A strong jumping off point is to assess whether the organisation has the people, processes, and capacity to handle so many issues. A well-prepared CISO will have prepared for the median forecast but will also have built contingency plans for the higher-volume scenarios.
Security pros also need to master the art of ruthless prioritisation, focusing on the flaws that pose the greatest risk to their specific IT estates, and not just those with the most critical CVSS numbers.
Finally, leaders should leverage external vulnerability forecasts alongside their own asset inventories to make vendor- and product-specific preparations.
“No company can solve vulnerabilities and cyber security in isolation. The organisations that recover fastest are the ones with trusted networks already in place, sharing threat intelligence and coordinating response before a crisis hits,” said First CEO Chris Gibson.
