FIRST: AI pushes the 2026 CVE forecast to 66,000

What this is about

FIRST, the Forum of Incident Response and Security Teams, now expects about 66,000 CVEs in 2026, according to a report published on June 15, 2026. That would be a historically high number for public vulnerability documentation. But the important point is not the record number itself. The report describes a shift: AI systems and autonomous discovery agents are finding more possible bugs, while human teams still have to verify, coordinate and patch them.

That makes the story more concrete for security and software teams than the usual AI security debate. If more reports are created but the number of truly urgent patches does not rise at the same pace, prioritization becomes the central job.

What the CVE forecast actually does

The forecast estimates how many vulnerabilities are likely to be registered as CVEs during the year. CVE is not an automatic danger label; it is a shared naming system. It helps teams talk about the same flaw, connect advisories and track patches.

The new estimate of about 66,000 comes, according to Help Net Security, from higher current counts and the influence of automated discovery. Database backfills, more open-source projects receiving serious security attention and the plain growth of software also play a role. So the number measures not only more attacks, but also more visibility.

Why it matters

For companies, the total number of CVEs is not what matters most. What matters is whether a flaw exists in their own environment, whether it is reachable from the internet and whether attackers can use it. This is where the pressure appears: a larger CVE flood makes weak processes more expensive.

FIRST's message fits other observations. Barracuda warned in May 2026 against confusing raw CVE totals with real risk. Red Hat described in June 2026 how AI-assisted security work can sharply increase the number of triaged findings. Together, the picture is clear: the industry is getting more raw material, but not automatically better decisions.

In plain language

Imagine a building manager after a storm. In the past, ten damage reports arrived each day; now drones and sensors report one hundred. That is good, because fewer broken windows are missed. But someone still has to decide which window must be secured immediately and which small scratch can wait until tomorrow.

CVEs work in a similar way. AI can find more possible weak spots. Security only improves when people and tools prioritize the right weak spots and repair them cleanly.

A practical example

A mid-sized SaaS provider runs 180 services, 42 external integrations and 1,200 container images. In one quarter, scanners create 900 new CVE findings. Of those, 260 affect packages actually in use, 38 are reachable from the internet and 6 have exploit signals or match active attack patterns.

The team gains nothing by treating all 900 tickets equally. A useful process first sorts by asset criticality, exposure, exploit likelihood and patch effort. The 6 urgent flaws are fixed within days, the 38 exposed findings are planned next, and the rest move into regular release cycles.

Scope and limits

First, the 66,000 figure is a forecast, not a completed annual count. It can change if disclosure processes, database backfills or publication rhythms change.

Second, more CVE volume does not automatically mean more acute danger. Many entries affect configurations, internal components or products a specific company does not use.

Third, AI does not remove the human bottleneck by itself. Someone still has to confirm findings, find owners, test patches and document exceptions. Without an asset inventory and clear accountability, more automation only creates more noise.

SEO & GEO keywords

FIRST, CVE Forecast 2026, AI vulnerability discovery, vulnerability management, patch prioritization, EPSS, Help Net Security, Barracuda, Red Hat, cybersecurity operations, AI security