THE 2026 vulnerability forecast from the Forum of Incident Response and Security Teams (FIRST) anticipates a significant increase in disclosed CVEs, reaching around 66,000—marking a 46.3% rise compared to original predictions. This surge is attributed to the rise of AI technologies in vulnerability discovery, specifically autonomous AI agents like Anthropic's Mythos and OpenAI's GPT-5.4, which enhance the identification of software flaws.
The report emphasizes that while the number of CVEs is growing, the real actionable risk remains unchanged; only 6.5% of CVEs are expected to pose a serious threat. The challenge now lies in human resources for verification and patching, rather than discovery. Additionally, the report highlights concerns regarding ephemeral software that often escapes traditional CVE tracking. Practical recommendations include preparing for more frequent patch releases and focusing on exploitability overlays to address genuine threats.