FIRST raised its 2026 vulnerability forecast to about 66,000 CVEs as AI takes over bug hunting

The Forum of Incident Response and Security Teams, the group whose volunteers maintain the scoring systems most of the industry uses to rank bugs, now expects 2026 to close at roughly 66,000 published CVEs. That is a CVE, a Common Vulnerabilities and Exposures entry, the public record assigned to a confirmed software flaw. The new number, released June 15 at the group's annual conference in Denver, is 46.3% higher than the median it forecast in February, and it puts the year on pace to approach 70,000 disclosures for the first time.

The obvious read is that software is falling apart. It is not. The count is going up because the machines that look for flaws got much better, and there are a lot more of them looking.

What is actually driving the number

FIRST points to three things, and only one of them is the headline.

The first is AI-assisted discovery. Autonomous bug-hunting tools now file findings into the disclosure pipeline on their own. The clearest example in the report is Mozilla, whose CVE assignments jumped 164% in the first quarter. FIRST attributes that directly to Anthropic's Project Glasswing, which points the Mythos Preview agent and Claude Opus 4.6 at old bugs in the Firefox engine. Mozilla's engineers wired the agent into their existing fuzzing setup and credited the harness with finding and fixing 271 bugs for the Firefox 150 release. OpenAI's GPT-5.4-Cyber is named as another contributor.

The second driver has nothing to do with AI. GitHub Security Advisory volume rose 449% year over year, and VulnCheck's activity as a CVE Numbering Authority of last resort, the body that assigns IDs nobody else will, climbed 3,119% as it worked through a backlog of unassigned flaws. That is cataloging catching up with reality, not new holes appearing.

The third is the plainest of all. The number of distinct software products with tracked vulnerabilities has grown by two orders of magnitude. More software in the world means more bugs to file against it, with or without an AI in the loop.

The part the panic headlines skip

Here is the number that matters more than 66,000. The share of those CVEs that anyone actually needs to rush to patch has not moved.

FIRST filters the raw pile down to bugs that are either listed in CISA's Known Exploited Vulnerabilities catalog or score above 10% on EPSS, the Exploit Prediction Scoring System the group also runs to estimate the odds a flaw gets exploited in the wild. By that measure, the team says the patching burden is flat. The forecasters call it the rain versus the flood. The rain is every disclosure landing at once. The flood is the much smaller set of bugs attackers are actually using.

"In 2026, the rain doesn't stop," said Jerry Gamblin, a co-author of the forecast. "The job is no longer counting the drops. It's knowing which ones will overrun the levee."

So a team that triages with CISA KEV and EPSS, rather than reacting to the headline CVE count, can keep its exposure managed without hiring proportionally to the surge. That is a useful thing to know before a vendor quotes you the 66,000 figure as a reason to buy something.

The real bottleneck is people

The constraint has moved. It used to be finding the bugs. Now an agent can surface more flaws in a week than a human team can verify, coordinate disclosure for, and patch.

"The challenge for defenders is no longer the discovery of vulnerabilities," said Eireann Leverett, who leads the group's forecasting team. "It's the capacity to verify, coordinate, and prioritize them at a scale the industry has never seen before."

FIRST also flags a category the databases never see at all. AI assistants now generate and deploy throwaway code on demand, and the flaws in that code rarely get a CVE. They are off the national registries and still running inside real systems. The group's recommendation there is unglamorous: dynamic cataloging, AI bills of materials, and runtime monitoring, because the CVE list was never built to track software that writes and discards itself.

How much to trust the figure

The 66,000 is a projection, not a tally. FIRST built it with an exponential-smoothing model trained on daily publication counts from January 2020 through the end of April 2026, then compared the first four months of actual disclosures against its own February baseline. The exploitability side leans on the CISA KEV catalog, which held 1,587 entries as of May 1, and EPSS scores covering 329,934 CVEs as of the same date. The team publishes its data and the Python behind it on GitHub, which is more than most forecasts of this kind bother to do.

The honest caveat is in FIRST's own notes: a dip in published counts often means analysts went on vacation, not that the internet got safer. When the people doing the verifying are the bottleneck, the disclosure rate measures their availability as much as it measures the bugs. Worth remembering the next time the monthly number moves and someone reads a trend into it.