Cybersecurity teams brace for surge in global CVEs in 2026

FIRST forecasts that the global vulnerability disclosure system will publish more than 50,000 Common Vulnerabilities and Exposures (CVEs) this year, with a median estimate of about 59,000. If realised, it would be the first time the industry has crossed 50,000 CVEs in a single year.

The Forum of Incident Response and Security Teams (FIRST), a cybersecurity non-profit, estimates the 2026 total will fall within a 90% confidence interval of 30,012 to 117,673. The upper end of that range would mean a materially higher workload for security teams that track disclosures and manage remediation programmes.

Vulnerability disclosures are a core input for security operations. Organisations use CVE entries to guide patch management, risk assessments, scanning, and detection engineering across security information and event management systems, endpoint tools, and intrusion detection products. Higher volumes increase the time and effort needed to triage issues and determine which exposures require action.

Pressure on teams

The forecast also outlines "realistic scenarios" in which 70,000 to 100,000 vulnerabilities could be published this year. That range sits above the median and reflects the possibility of continued growth in publication rates.

FIRST described the expected increase as a shift in operational planning, not simply a year-on-year rise. The difference between preparing for tens of thousands of entries and preparing for a six-figure total affects how teams allocate staff time, build automation, and set internal service levels for remediation.

"The question organizations need to ask right now is: are my people and processes ready to handle this volume, and am I prioritizing the vulnerabilities that actually put my data at risk? Our forecast allows defenders to stop reacting to every new CVE and start making strategic decisions about where to focus limited resources before attackers exploit the gaps," said Éireann Leverett, FIRST Liaison and lead member of FIRST's Vulnerability Forecasting Team.

Many organisations already face competing pressures in vulnerability management. Patching often requires downtime windows and coordination with application owners. Some systems cannot be patched quickly because of supplier constraints or operational risk. Security teams must also manage expanding asset estates across cloud services, endpoints, and third-party software dependencies.

Three-year outlook

FIRST's three-year outlook suggests disclosure volumes will remain elevated. It forecasts a median of 51,018 CVEs in 2027 and 53,289 in 2028. The upper bound for 2028 approaches 193,000, indicating a meaningful probability of totals substantially higher than the medians.

In assessing its methodology, FIRST reported that its 2025 forecast recorded a Mean Absolute Percentage Error of 7.48% for annual predictions and 4.96% for the fourth quarter. Forecast accuracy is difficult to judge because publication patterns can shift during the year, particularly if a backlog is cleared or reporting processes change across the ecosystem.

How the model works

The 2026 forecast uses a statistical approach that emphasises ranges of outcomes rather than a single point estimate. The model incorporates the structural change in CVE publication patterns observed in 2017 and 2018 and uses asymmetric confidence intervals, reflecting a higher probability that totals could exceed the median forecast.

Data sources include historical CVE records and publication trends from the US National Vulnerability Database and MITRE, which oversees the CVE programme.

Several factors can drive higher disclosure volumes. Researchers and vendors continue to widen product coverage, and more software is built from open source components. Improved supply-chain visibility can lead to more reported issues. Changes in processes used by CVE numbering authorities and disclosure programmes can also affect how many entries are published in a given period.

Operational response

FIRST's guidance focuses on capacity, prioritisation, and scenario planning. It recommends assessing whether staffing levels and processes can handle a year above 50,000 CVEs, and prioritising vulnerabilities that present the greatest risk in a given environment rather than relying only on severity scoring.

FIRST also recommends planning around the median forecast while preparing contingencies for higher-volume scenarios. It highlighted using forecasts alongside asset inventories for vendor and product planning, which can shape patch schedules and remediation campaigns.

"Much like a city planner considering population growth before commissioning new infrastructure, security teams benefit from understanding the likely volume and shape of vulnerabilities they will need to process," Leverett added. "The difference between preparing for 30,000 vulnerabilities and 100,000 is not merely operational, it's strategic."

Chris Gibson, chief executive officer of FIRST, said resilience depends on coordination and pre-existing trust relationships between organisations. "No company can solve vulnerabilities and cybersecurity in isolation. The organizations that recover fastest are the ones with trusted networks already in place, sharing threat intelligence and coordinating response before a crisis hits," he said.

FIRST plans to publish quarterly updates during 2026 and refine predictions as more data arrives. It also expects to add more granular analysis of CVSS v3 vector distributions in those updates.