CVE volumes may plausibly reach 100,000 this year | Computer Weekly

CVE volumes may plausibly reach 100,000 this year | Computer Weekly

Briefly

"The total number of common vulnerabilities and exposures (CVEs) disclosed in 2026 is set to romp past the 50,000 mark in 2026 and may plausibly run as high as six figures for the first time ever, according to the Forum of Incident Response and Security Teams' (First's) annual Vulnerability Report. In its latest set of predictions, First said that this year, the upper bounds of its 90% confidence interval in fact approaches 118,000 CVEs, and according to the data, realistic scenarios suggest 70,000 to 100,000 disclosed vulnerabilities are "entirely possible". The median figure for 2026, it said, would most likely be around 59,000."

"First said that whatever the figure turns out to be, it underscored an "urgent need" for organisations to both scale their security ops and strategically prioritise their vulnerability response and patching practices. "The question organisations need to ask right now is: are my people and processes ready to handle this volume, and am I prioritising the vulnerabilities that actually put my data at risk?" said Éireann Leverett, first liaison and lead member of First's Vulnerability Forecasting Team"

"In its 2025 report, First said that the higher end of its predicted range topped out at 50,000 CVEs - the number its analysts expect to comfortably exceed this year. This was partly due to the rapid adoption of open source software (OSS) and the use of AI tools both in vulnerability discovery During the course of the year, the emergence of the vibecoding phenomenon likely also had an impact."