Database chaos is gradually becoming the new norm.
In 2026, vulnerability management companies may face an unprecedented volume of new logs, but this doesn't mean the internet will instantly become more dangerous. The challenge is shifting from finding new holes to quickly and accurately separating truly critical findings from a flood of insignificant messages.
According to a forecast by the Forum of Incident Response and Security Teams (FIRST), the number of publicly disclosed vulnerabilities could exceed 50,000 in 2026, approaching 59,000 in the median scenario. In more extreme, but realistic, scenarios, the estimate rises to nearly 118,000, while in 2025, according to estimates cited in the article, approximately 48,000 CVEs were registered. The forecast's authors emphasize that this is not a sign of a sharp increase in attacker capabilities, but rather that the industry is becoming better at identifying and recording issues.
FIRST representative Eiren Leverett attributes the growth to several factors. The number of teams and organizations working on vulnerability disclosures is growing, the CVE ecosystem is expanding, and bug bounty programs are further incentivizing publications.
A closer focus on long-running codebases is also noted, especially in open source infrastructure , where many bugs have existed for years but are only now being identified and included in statistics. FIRST also changed its modeling approach, taking into account the shift around 2017, when the pace of publications accelerated significantly, and now proposes resource planning based on ranges rather than a single digit.
At the same time, the increasing number of CVEs alone poorly reflects the actual risk to businesses. Mikhail Roytman, Technical Director of Empirical Security, points out that exploitation operates by different laws and is not necessarily subject to the same disclosure dynamics, in part because working exploits can appear even before a CVE identifier is published.
According to Roytman, in 2025, of the tens of thousands of registered vulnerabilities, only a small fraction had public proof-of-concept exploits , and an even smaller proportion showed signs of exploitation in real-world attacks. A significant portion of CVEs relate to niche software, consumer devices, or configurations that are not a priority for large organizations, and many theoretically attackable flaws remain unattractive to attackers compared to already proven and widely deployed variants.
The main challenge FIRST sees is primarily operational. According to the organization's estimates, the primary threat comes from approximately 5% of vulnerabilities, but as the overall volume grows, it becomes more difficult to consistently identify this small percentage. Roytman emphasizes that the workload can still be handled if processing is automated, but relying on humans to analyze tens of thousands of items quickly becomes a dead end. Therefore, prioritization, automated triage, and resource planning are becoming increasingly important.
The role of AI is particularly worrisome. Tools based on large language models do speed up the detection of code defects, but this doesn't mean a similar surge in mass exploitation. According to Roytman's logic, attackers remain constrained by economic and practical limitations, so they continue to focus on a small set of vulnerabilities that produce predictable results. Meanwhile, defenders use machine learning to assess the likelihood of exploitation and filter out noise.
The growing number of disclosures also increases pressure on vulnerability infrastructure. The risk of backlogs building up among CVE ecosystem participants, including MITRE, the National Vulnerability Database, and organizations acting as CVE Numbering Authorities, is being discussed.
RAND researcher Sasha Romanotsky believes the system is more likely to degrade gradually than to "break down," and some records will simply be processed with delays or remain without full enrichment. As a result, organizations may rely more heavily on commercial tools and internal analytics, and the gap between mature and immature vulnerability management processes will become more noticeable.
In 2026, vulnerability management companies may face an unprecedented volume of new logs, but this doesn't mean the internet will instantly become more dangerous. The challenge is shifting from finding new holes to quickly and accurately separating truly critical findings from a flood of insignificant messages.
According to a forecast by the Forum of Incident Response and Security Teams (FIRST), the number of publicly disclosed vulnerabilities could exceed 50,000 in 2026, approaching 59,000 in the median scenario. In more extreme, but realistic, scenarios, the estimate rises to nearly 118,000, while in 2025, according to estimates cited in the article, approximately 48,000 CVEs were registered. The forecast's authors emphasize that this is not a sign of a sharp increase in attacker capabilities, but rather that the industry is becoming better at identifying and recording issues.
FIRST representative Eiren Leverett attributes the growth to several factors. The number of teams and organizations working on vulnerability disclosures is growing, the CVE ecosystem is expanding, and bug bounty programs are further incentivizing publications.
A closer focus on long-running codebases is also noted, especially in open source infrastructure , where many bugs have existed for years but are only now being identified and included in statistics. FIRST also changed its modeling approach, taking into account the shift around 2017, when the pace of publications accelerated significantly, and now proposes resource planning based on ranges rather than a single digit.
At the same time, the increasing number of CVEs alone poorly reflects the actual risk to businesses. Mikhail Roytman, Technical Director of Empirical Security, points out that exploitation operates by different laws and is not necessarily subject to the same disclosure dynamics, in part because working exploits can appear even before a CVE identifier is published.
According to Roytman, in 2025, of the tens of thousands of registered vulnerabilities, only a small fraction had public proof-of-concept exploits , and an even smaller proportion showed signs of exploitation in real-world attacks. A significant portion of CVEs relate to niche software, consumer devices, or configurations that are not a priority for large organizations, and many theoretically attackable flaws remain unattractive to attackers compared to already proven and widely deployed variants.
The main challenge FIRST sees is primarily operational. According to the organization's estimates, the primary threat comes from approximately 5% of vulnerabilities, but as the overall volume grows, it becomes more difficult to consistently identify this small percentage. Roytman emphasizes that the workload can still be handled if processing is automated, but relying on humans to analyze tens of thousands of items quickly becomes a dead end. Therefore, prioritization, automated triage, and resource planning are becoming increasingly important.
The role of AI is particularly worrisome. Tools based on large language models do speed up the detection of code defects, but this doesn't mean a similar surge in mass exploitation. According to Roytman's logic, attackers remain constrained by economic and practical limitations, so they continue to focus on a small set of vulnerabilities that produce predictable results. Meanwhile, defenders use machine learning to assess the likelihood of exploitation and filter out noise.
The growing number of disclosures also increases pressure on vulnerability infrastructure. The risk of backlogs building up among CVE ecosystem participants, including MITRE, the National Vulnerability Database, and organizations acting as CVE Numbering Authorities, is being discussed.
RAND researcher Sasha Romanotsky believes the system is more likely to degrade gradually than to "break down," and some records will simply be processed with delays or remain without full enrichment. As a result, organizations may rely more heavily on commercial tools and internal analytics, and the gap between mature and immature vulnerability management processes will become more noticeable.
