Vulnerability disclosures are on track to hit, or even surpass, a record-breaking 50,000 in 2026 according to the Forum of Incident Response and Security Teams (FIRST).
In its 2026 Vulnerability Forecast, published on February 11, the non-profit predicted a median of approximately 59,427 new common vulnerabilities and exposures (CVEs) this year, with a 90% confidence interval ranging from 30,012 to 117,673.
These calculations are the result of a new statistical model developed at FIRST and optimized to reflect the range of possible CVE disclosures. The data sources used include historical CVE records and publication trends from the US National Vulnerability Database (NVD) and MITRE.
This new methodology was used in FIRST’s 2025 Vulnerability Forecast and achieved a percentage error of 7.48% for yearly predictions and 4.96% for the fourth quarter of 2025.
Record-Breaking CVE Reports Expected in 2026
If FIRST’s predictions hold true, 2026 will be the first year to exceed 50,000 published CVEs. This would represent “a significant milestone in vulnerability disclosure history,” the non-profit said.
The forecast report also stated that realistic scenarios suggest 70,000 to 100,000 vulnerabilities are entirely possible this year.
Finally, FIRST predicted that CVE disclosures will likely keep growing beyond 2026, with a median of approximately 51,018 CVEs in 2027 and 53,289 CVEs in 2028 and upper bounds reaching nearly 193,000 by 2028.
FIRST: How to Anticipate the CVE Reporting Explosion
FIRST indicated that this data aims to serve as “a critical planning tool for security teams across the industry” and “enable better resource allocation and strategic decision-making.”
Éireann Leverett, FIRST liaison and lead member of FIRST’s vulnerability forecasting team, noted that organizations need to ask if their teams and processes are ready to handle such volumes of vulnerabilities and if they are prioritizing the right ones.
“Our forecast allows defenders to stop reacting to every new CVE and start making strategic decisions about where to focus limited resources before attackers exploit the gaps,” he added.
FIRST’s 2026 Vulnerability Forecast also provided a list of basic recommendations for organizations wanting to anticipate the CVE growth:
- Assess capacity now: evaluate whether current people and processes can handle 50,000+ CVEs
- Prioritize ruthlessly: focus on vulnerabilities that pose the greatest risk to your specific environment, not just those with the highest common vulnerability scoring system (CVSS) ratings
- Plan for scenarios: prepare for the median forecast but build contingency plans for higher-volume scenarios
- Leverage forecasting: use vulnerability forecasts alongside asset inventories to make vendor- and product-specific preparations
