Published CVEs could hit record-breaking 50,000-plus in 2026 - SC Media

The number of new vulnerability disclosures is predicted to surpass 50,000 in 2026, the first time Common Vulnerabilities and Exposures (CVEs) in the cybersecurity industry will cross that mark in a single year if figures in a new vulnerability forecast released Wednesday hold true. In fact, the team at the global security nonprofit Forum of Incident Response and Security Teams (FIRST) predicted that the median will be approximately 59,000 published CVEs by year’s end. Realistic scenarios suggested between 70,000 to 100,000 vulnerabilities were possible, according to its 2026 Vulnerability Forecast. The news for cybersecurity professionals only gets worse when looking toward the future. FIRST projected that the number of new CVEs will continue to grow in 2027, with a median of 51,018, and will increase again in 2028 to 52,289. FIRST said its forecast serves as a critical decision-making and planning tool for security teams across the industry. "The question organizations need to ask right now is: are my people and processes ready to handle this volume, and am I prioritizing the vulnerabilities that actually put my data at risk? Our forecast allows defenders to stop reacting to every new CVE and start making strategic decisions about where to focus limited resources before attackers exploit the gaps," said Éireann Leverett, FIRST Liaison and Lead Member of FIRST's Vulnerability Forecasting Team. Future of CVE program unclear after March Another question is whether the CVE program will continue in its current form. The federally funded nonprofit MITRE Corporation received last-minute funding in April 2025 to continue operating the CVE program, which is one of the "foundational pillars of the cybersecurity ecosystem." MITRE’s CVE classifications program enables authorized organizations to identify, assign, and publish unique CVE IDs for publicly known cybersecurity vulnerabilities, SC Media reported at the time. The process is critical to the cybersecurity community because it is the de facto standard for ensuring consistent, centralized tracking and disclosure of cybersecurity vulnerabilities. While the CVE program received a reprieve last year, funding was set for only 11 months and ends in March 2026. Cybersecurity professionals contacted by SC Media said FIRST's forecast for more vulnerabilities is unfortunate and unsurprising, and that companies can prioritize addressing security issues using a variety of resources such as staffing, tools, technology and programs such as bug bounties and their own disclosure programs. Any company producing or obtaining software needs to have solutions that aren’t wholly reliant on a national vulnerability database, said Ben Ronallo, Black Duck's principle cybersecurity engineer. A solution with its own threat research team supplementing detections with minimal delay and combines with other sources such as other national databases like the European Union Vulnerability Database (EUVD), GitHub’s Security Advisories (GHSA), and other open-source advisory feeds will be critical to building redundancy against the influences of any government, Ronallo added. Even though FIRST's predictions are impressive, the CISO’s challenge hasn’t changed — knowing which vulnerabilities to address, in what order, on what timeline — said Trey Ford, chief strategy and trust officer at BugCrowd. "We will be seeing threat actors agentically find vulnerabilities at machine speed," Ford continued, "but at what point do we rationally see patches agentically developed and deployed at machine speed? And how do security leaders make decisions around this? "We’re on the precipice of some really exciting times."