A new report predicts that this year will mark the first time the industry will cross 50,000 published CVEs in a single year. The findings, from global cybersecurity nonprofit The Forum of Incident Response and Security Teams (FIRST), suggest that between 70,000 to 100,000 vulnerabilities are entirely possible in 2026.
The wider three-year outlook projects continued growth: 51,018 CVEs (median) in 2027 and 53,289 CVEs (median) in 2028, with upper bounds reaching nearly 193,000 by 2028.
“The question organizations need to ask right now is: are my people and processes ready to handle this volume, and am I prioritizing the vulnerabilities that actually put my data at risk? Our forecast allows defenders to stop reacting to every new CVE and start making strategic decisions about where to focus limited resources before attackers exploit the gaps,” says Éireann Leverett, FIRST liaison and lead member of FIRST’s Vulnerability Forecasting Team.
The forecast serves as a critical planning tool for security teams across the industry. Whether organizations are planning patching capacity, writing coordinated vulnerability disclosure reports, or developing detection signatures for SIEM, EDR, or IDS platforms, understanding the expected volume of vulnerabilities enables better resource allocation and strategic decision-making.
“Much like a city planner considering population growth before commissioning new infrastructure, security teams benefit from understanding the likely volume and shape of vulnerabilities they will need to process,” Leverett adds. “The difference between preparing for 30,000 vulnerabilities and 100,000 is not merely operational, it’s strategic.”
The report advises organizations to look at whether their current people and processes can handle 50,000+ CVEs. They need to focus on vulnerabilities that pose the greatest risk to their specific environment, not just those with the highest CVSS scores.
They should also build contingency plans for higher-volume scenarios and use vulnerability forecasts alongside asset inventories to make vendor- and product-specific preparations.
“No company can solve vulnerabilities and cybersecurity in isolation. The organizations that recover fastest are the ones with trusted networks already in place, sharing threat intelligence and coordinating response before a crisis hits,” says Chris Gibson, CEO of FIRST.
You can read more on the FIRST blog.
Image credit: weerapat/depositphotos.com
