
CVEs are on pace to hit nearly 70,000 in 2026, but Jerry Gamblin explains why the actual exploitable risk is staying surprisingly flat.
Description
Jerry Gamblin runs RogoLabs and built CVE.ICU, and he co-authored the FIRST mid-year vulnerability forecast that just put 2026 on pace for nearly 70,000 CVEs. He joins Resilient Cyber to separate the scary headline number from what actually matters for defenders. We get into why GitHub now publishes one in five CVEs, the rain versus flood distinction that explains why exploitable risk is flat even as raw volume explodes, what the NVD collapse means now that the CNAs have to step up, and how teams should really be triaging with EPSS and the CISA KEV catalog.
Key takeaways
- CVEs are on pace for nearly 70,000 in 2026, up more than 40 percent year over year. Much of the surge traces back to a single source, with GitHub now publishing one in five CVEs after scaling up its advisory team.
- The three drivers behind the surge are very different forces. AI-assisted discovery that nobody can definitively flag, a 449 percent jump in GitHub security advisories, and VulnCheck acting as a CNA of last resort all get lumped into one scary number.
- Rain versus flood is the frame that matters. Raw CVE volume is climbing fast, but once you filter for CISA KEV and EPSS the actionable, exploitable risk has stayed essentially flat.
- Most of the new findings are old human debt, not a new AI threat. The OWASP Top 10 has barely changed in 25 years, and tooling can now find those same mistakes at scale across mostly open source code.
- The AI moment is useful cover to finally patch. Jerry argues teams are using the AI hype cycle to win the time and resources to fix long-known issues, which is a genuinely good outcome.
- The NVD was the dam that fell. It was never fair to expect one small organization to enrich every CVE, so responsibility now shifts back to the CNAs and the large vendors that leaned on it for years.
- Treat CVE data as a product you pay for. Jerry's advice is to use procurement leverage, since demanding better CVE records before you renew a contract is one of the few real forcing functions available.
- What gets exploited has not really changed. VPN concentrators and the same old vulnerability classes still dominate, and the NSA's annual top 10 exploited bugs are reliably old, with no sign yet of AI driving widespread attacks.
- Asset inventory is still the real bottleneck. You cannot triage what you cannot see, and most organizations still cannot say with confidence whether they even run the software a given pile of CVEs affects.
- AI-accelerated exploitation is coming, but not as mass exploits. The bigger shift is a tireless attacker that loops on your network for days until it finds a way in, which is exactly what agents are best at.
Guest
Jerry Gamblin, creator of CVE.ICU and founder of RogoLabs.
Resources mentioned
FIRST 2026 mid-year vulnerability forecast
Subscribe
www.resilientcyber.io
Flere episoder fra "Resilient Cyber"



Gå ikke glip af nogen episoder af “Resilient Cyber” - abonnér på podcasten med gratisapp GetPodcast.








