AI-powered vulnerability discovery is flooding the system with disclosed flaws, but actual exploitable risks remain flat—meaning the real bottleneck has shifted from finding bugs to verifying and patching them.

What happened: The FIRST Forecasting team reports that 2026 has seen a cumulative drift of +46.3% above their original forecast, revising the projected total to ~66K CVEs for the year. AI-assisted discovery tools—including Anthropic's Mythos agent and OpenAI's GPT-5.4-Cyber—have accelerated flaw identification, with a 164% spike in Q1 disclosures at Mozilla alone. At the same time, GitHub Security Advisories volume is up 449% year-over-year, and VulnCheck is up 3,119% year-over-year, driven by expanded curation and backlog absorption.

Why it matters: While the raw volume of reported vulnerabilities has surged, the number of truly exploitable flaws—those in CISA's Known Exploited Vulnerabilities catalog or scoring above 10% on the Exploit Prediction Scoring System—has remained flat. This means software maintainers will see more discovered bugs to review, but the actual patches needed for high-risk exposures should stay manageable through the end of 2026. The real constraint is no longer discovery; it is human capacity to verify, coordinate, and patch.

What to watch: Defenders should prepare for roughly double the bug-discovery workload in maintenance and development, but patching live systems may remain steady. The defining security race of late 2026 will be between AI-accelerated exploit development and AI-accelerated automated patching—a window advantage that software maintainers should seize now to eliminate entire vulnerability classes rather than responding reactively to individual flaws.