CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaught

The number of new Common Vulnerabilities and Exposures (CVEs) is set to top 50,000 for the first time this year, according to analysis from the Forum of Incident Response and Security Teams (FIRST).

In its 2026 Vulnerability Forecast, the non-profit said it expects to see around 59,000 new CVEs in 2026, but that as many as 70,000 to 100,000 vulnerabilities are entirely possible.

Notably, across its three-year outlook the organization predicts these numbers to continue rising, with a median prediction of 51,018 CVEs in 2027 and 53,289 in 2028, with the upper bounds reaching nearly 193,000 by 2028.

"The question organizations need to ask right now is: are my people and processes ready to handle this volume, and am I prioritizing the vulnerabilities that actually put my data at risk?," said Éireann Leverett, FIRST liaison and lead member of FIRST's Vulnerability Forecasting team.

"Much like a city planner considering population growth before commissioning new infrastructure, security teams benefit from understanding the likely volume and shape of vulnerabilities they will need to process," Leverett added.

"The difference between preparing for 30,000 vulnerabilities and 100,000 is not merely operational, it’s strategic."

While the figures may be jarring for business leaders, Kevin Knight, CEO of Talion, said it’s not quite a worst-case scenario. Indeed, it’s the impact of the vulnerabilities within their specific environments that business leaders and CISOs should be focusing on.

"These figures cover all software and platforms globally, meaning many CVEs will be irrelevant to individual businesses," he said.

"What may be critical for one organization could be insignificant for another. After all, when it comes to vulnerability management, it’s always about context, not volume."

How prepare for a torrent of CVEs

Preparation ahead of the expected increase is key, according to FIRST. With this in mind, organizations should assess their capacity now to make sure their current staff and processes can handle these high numbers.

They should focus on the vulnerabilities that pose the greatest risk to their specific environment, not just those with the highest CVSS scores.

Elsewhere, the non-profit urged enterprises to prepare for the median forecast - but build contingency plans for higher-volume scenarios.

The use of vulnerability forecasts alongside asset inventories to make vendor- and product-specific preparations will also be crucial to avoid costly supply chain incidents.

Security teams will face challenges

Naturally, security teams could face higher workloads and will be contending with a more perilous threat landscape moving forward.

Adding insult to injury, Knight noted that security teams are often brought in late during the procurement process - sometimes after contracts have been signed.

In some cases, applications are also deployed without the CISO’s knowledge altogether, creating blind spots and increasing the risk that critical vulnerabilities are being missed.

Meanwhile, poor third-party risk management means organizations can unknowingly inherit their suppliers’ vulnerabilities, effectively expanding their attack surface and putting their sensitive data at risk of being breached.

"As CVE disclosures continue to rise, businesses must ensure the CISO is involved from the outset of technology decisions," he said.

"This allows security teams to assess risk properly, minimize third-party risk, ensure new systems fall within the organization’s security posture and prioritize and mitigate vulnerabilities based on real business impact, rather than headline figures.”

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.