Every few weeks another headline warns that vulnerability disclosures are setting records, and 2026 is now on pace for nearly 70,000 CVEs. Jerry Gamblin helped build the forecast behind that number, and his takeaway is not the one you would expect. The count is surging, but the risk that actually matters has barely moved.
Why this conversation matters
Jerry runs RogoLabs, built CVE.ICU, and co-authored the FIRST mid-year forecast, which makes him one of the few people who can explain what is really driving the surge instead of just reacting to it.
He walks through why a single source, GitHub, is responsible for so much of the growth, why most of these findings are old debt rather than new danger, and why the NVD breaking down is forcing a long-overdue reckoning for the CNAs. If you own vulnerability management, this is a practical guide to tuning out the noise and triaging what counts.
Key takeaways
The 70,000 number is real, but one source is inflating it. CVEs are up more than 40 percent year over year, and GitHub alone now publishes one in five of them after scaling up its advisory team.
Three very different forces get lumped into one scary figure. AI-assisted discovery that no CVE record actually flags, a 449 percent jump in GitHub security advisories where a script downloaded ten times can earn the same CVE as a Windows flaw on a billion devices, and VulnCheck operating as a CNA of last resort are each driving volume for different reasons.
Rain versus flood is the whole point. Total CVE volume is climbing fast, but once you filter for CISA KEV and EPSS, the genuinely exploitable risk has stayed essentially flat, so it is raining without flooding.
Most of the surge is 25 years of human debt finally getting found. The OWASP Top 10 has barely changed since it was first published, and AI tooling is simply surfacing the same old mistakes at scale rather than inventing new danger.
The AI panic is being put to good use. Jerry’s optimistic read is that teams are using the hype to win budget and cycles to patch long-known issues, and a finding from a shiny AI tool tends to get fixed faster than the same finding from last year’s pentest.
The NVD was the dam that fell. It was never reasonable to expect one small organization to enrich every CVE for the whole world, so the burden now returns to the CNAs and the large vendors that quietly relied on it to clean up their records.
Treat CVE data as a product you pay for. Jerry’s most actionable advice is to use procurement leverage, since demanding better CVE records before renewing a contract is one of the only forcing functions that reliably moves vendors.
What actually gets exploited has not changed. VPN concentrators and the same familiar vulnerability classes still dominate, the NSA’s annual top 10 exploited bugs are reliably old, and there is no sign yet of AI driving widespread attacks.
The unsolved problem is still asset inventory. You cannot triage what you cannot see, and most organizations still cannot say with confidence whether they even run the software behind a given pile of CVEs.
AI-accelerated exploitation will look like patience, not mass exploits. The real shift is a tireless attacker that loops on your network for days until it finds a way in, which is precisely what agents are good at.
Notable quotes
“GitHub is now publishing one in five CVEs”
Jerry Gamblin, on what is really behind the record numbers.
“the NVD was the dam that fell”
Jerry Gamblin, on why responsibility now shifts back to the CNAs.
“we really need to start having people see CVE data as a product that they’re paying for”
Jerry Gamblin, on the one forcing function that actually moves vendors.
Listen and watch
Resources
FIRST 2026 mid-year vulnerability forecast
Subscribe
If this kind of signal-over-noise take on vulnerability management is useful to you, subscribe to Resilient Cyber for more conversations and writing on cybersecurity, AI, and the forces that shape both.
