For the first time in history, annual CVE disclosures are projected to surpass 50,000.
The Forum of Incident Response and Security Teams (FIRST) released its 2026 Vulnerability Forecast this week, estimating a median of 59,427 Common Vulnerabilities and Exposures (CVEs) for 2026, with a 90% confidence interval of 30,012 to 117,673. FIRST notes that "realistic scenarios suggest 70,000 to 100,000 vulnerabilities are entirely possible this year," marking a significant milestone in vulnerability disclosure history.
For CISOs, however, the milestone is less about the number itself and more about what it represents: scale.
A structural shift in vulnerability growth
FIRST's three-year outlook projects continued elevated disclosure levels, with a median of 51,018 CVEs in 2027 and 53,289 in 2028—still dramatically higher than historical norms. Upper-bound projections stretch even further, reaching nearly 193,000 by 2028.
Importantly, FIRST emphasizes that its 2026 forecast uses "a new statistical model optimized to reflect the range of possible outcomes rather than point prediction accuracy alone." The model accounts for the structural shift in CVE publication patterns that occurred between 2017 and 2018 and produces asymmetric confidence intervals that acknowledge a higher probability of exceeding the median forecast.
The methodology has demonstrated reliability. FIRST reports its 2025 forecast achieved a Mean Absolute Percentage Error (MAPE) of 7.48% for yearly predictions and 4.96% for Q4. The projections draw on historical CVE records and publication trends from MITRE and the National Vulnerability Database (NVD).
This is not a one-year spike; it is a sustained trajectory.
Automation became mandatory years ago
Security leaders have felt this pressure building for years.
"The number of CVEs disclosed each year has been increasing rapidly for quite a long time," says Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck. "When we passed the average of 50 CVEs per day, it became clear that automation and a clear vulnerability response program were required."
Traditional continuous scanning tools, he explains, faced "a core scalability challenge—there are only so many hours in a day to complete scans." That drove adoption of SBOM-based approaches, allowing organizations to scan once and continuously monitor those components for new CVEs.
But even that model now requires sharper prioritization.
"Addressing this influx requires prioritization and triage from the outset," Mackey said. The first step is determining whether the affected library or software is even present in the environment. From there, teams must identify "which CVEs are known to have an exploit path, via proof-of-concept code or active exploitation."
Those represent the true priority. With effective automation, impact assessments can shrink "to hours, if not minutes," instead of days.
Regulatory timelines are tightening, as well. Mackey points to the EU's Cyber Resilience Act (CRA), which sets "the aggressive 24-hour clock for software manufacturers to perform an impact assessment within 24 hours of a new vulnerability being disclosed." As he notes, "Time is always of the essence when dealing with cyber incidents."
Agentic AI: discovery at machine speed
Artificial intelligence is poised to accelerate the trend even further.
"With agentic augmentation, not only will more vulnerabilities be found, but they'll be found by more diverse actors than before," said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd. Not all of them will receive CVE identifiers, he added, raising challenges around tracking and coordination.
Still, the leadership challenge remains constant. "The numbers are impressive; however, the CISO's challenge hasn't changed. This includes knowing which vulnerabilities to address, in what order, and on what timeline."
What is changing is velocity. "We will be seeing threat actors agentically find vulnerabilities at machine speed," Ford said, posing a critical question for defenders: "At what point do we rationally see patches agentically developed and deployed at machine speed? And how do security leaders make decisions around this?"
CVEs and the evolution of risk tolerance
Ben Ronallo, Principal Cybersecurity Engineer at Black Duck, sees the forecast as reflective of a broader shift.
"The forecast is not surprising and is indicative of a shrinking global risk tolerance," he said. "As expectations rise, organizations will need funding and staff to double-check AI outputs, configure tools, and provide contextual analysis."
Transparency expectations are rising, as well. "The time of hiding vulnerabilities is quickly coming to an end," Ronallo said, urging organizations to establish clear responsible disclosure or bug bounty processes.
He also warns against reliance on a single vulnerability source. Companies need solutions "that aren’t wholly reliant on NVD," supplementing with internal research and alternative advisory feeds such as EUVD and GitHub Security Advisories.
The bottom line
Surpassing 50,000 CVEs is a symbolic threshold. What matters more is what comes next. AI will increase discovery velocity. Regulators will compress response timelines. Public and shareholder tolerance for unmanaged risk will continue to shrink.
In that environment, vulnerability management becomes less about tracking numbers and more about decision-making discipline at scale. The organizations that thrive won't be the ones chasing every disclosure—they'll be the ones engineered to handle the surge.
Follow SecureWorld News for more stories related to cybersecurity.
