The 50,000 vulnerability question

In its 2025 report, First said that the higher end of its predicted range topped out at 50,000 CVEs – the number its analysts expect to comfortably exceed this year. This was partly due to the rapid adoption of open source software (OSS) and the use of AI tools both in vulnerability discovery  During the course of the year, the emergence of the vibecoding phenomenon likely also had an impact.

In the event, First’s prediction was bang on, Leverett revealed, tipping over the upper confidence mark on 31 December 2025 for a final total of 49,972 observed CVEs, just 28 short of the magic number.

However, ideally, the upper confidence point would fall somewhere in 2026, with the median confidence point falling on New Year’s Eve, and as a result, First has reviewed its approaches and methodology going forward. Whether or not this means its 2026 forecast will be even more accurate remains to be seen.

“[Our] new method of forecasting … allows for asymmetric confidence intervals. This means we are taking into account that the publication number is more likely to exceed last year than be less than last year,” Leverett told Computer Weekly.

“So while we expect the number to be closer to 60,000, there is a 10% chance it exceed 118,000. Most of this is just statistics, but there is also discussion about emerging technologies and how they might stretch the range of possible numbers, which meant we were more comfortable publishing the results of this modelled outcome than some others.”

Next steps

While at first glance First’s annual CVE report might seem just an interesting statistical marker, the forecast serves as a potentially critical planning tool for the security sector when it comes to planning patching capacity, writing coordinated disclosures, or developing new detection signatures for SIEM, EDR or IDS platforms.

“Much like a city planner considering population growth before commissioning new infrastructure, security teams benefit from understanding the likely volume and shape of vulnerabilities they will need to process,” said Leverett.

“The difference between preparing for 30,000 vulnerabilities and 100,000 is not merely operational, it’s strategic.”

Whether they end up facing 50,000 or 100,000 CVEs and always keeping in mind that not every flaw will affect every business, security leaders at end-user organisations can start the work to get out in front of the problem right now.

A strong jumping off point is to assess whether the organisation has the people, processes, and capacity to handle so many issues. A well-prepared CISO will have prepared for the median forecast but will also have built contingency plans for the higher-volume scenarios.

Security pros also need to master the art of ruthless prioritisation, focusing on the flaws that pose the greatest risk to their specific IT estates, and not just those with the most critical CVSS numbers.

Finally, leaders should leverage external vulnerability forecasts alongside their own asset inventories to make vendor- and product-specific preparations.

“No company can solve vulnerabilities and cyber security in isolation. The organisations that recover fastest are the ones with trusted networks already in place, sharing threat intelligence and coordinating response before a crisis hits,” said First CEO Chris Gibson.