In 2026, the cybersecurity trade is anticipated to cross a threshold it has by no means reached earlier than: Greater than 50,000 publicly disclosed software program vulnerabilities in a single 12 months.
In response to a brand new forecast from the Discussion board of Incident Response and Safety Groups (FIRST), the median projection for 2026 is roughly 59,000 Widespread Vulnerabilities and Exposures (CVEs). Beneath extra excessive — however believable — eventualities, that quantity might climb far larger, reaching practically 118,000, greater than double the estimated 48,000 or so CVEs reported in 2025.
However security researchers and information scientists warning that numbers inform solely a part of the story. Traditionally, solely a small fraction of disclosed vulnerabilities is ever exploited within the wild, and a fair smaller subset meaningfully impacts most enterprises.
