The vulnerability forecast update from FIRST for June 2026 indicates a fundamental shift toward the "AI era." The number of identified CVEs is expected to rise to approximately 66,000, driven by the active use of specialized AI agents for automated bug hunting.
What Happened
According to the FIRST forecast, cybersecurity is undergoing a structural transition toward a capability-triggered model. This will lead to a significant increase in the number of registered vulnerabilities, as agents such as Anthropic Mythos and OpenAI GPT-5.4-Cyber begin to mass-automate the error detection process.
Context
Traditional cyber threat forecasting methods relied on time-series analysis. However, the emergence of powerful AI tools is changing the rules of the game: the speed and volume of vulnerability discovery now depend on the capabilities of the neural networks being used, creating a massive stream of security "noise" data.
Why It Matters for the Industry
For the industry, this means a necessary transition from classical patching to managing "noisy" vulnerabilities. Sectors will need to implement AI-BOM (Bill of Materials) standards to account for and control the ephemeral code generated by AI assistants within development pipelines.
Why It Matters for Users
Users and security professionals should not panic due to the sharp rise in CVE statistics. The key factor remains actionable risk, which remains stable. It is recommended to focus on real exploitability metrics, such as CISA KEV or EPSS > 10%, to avoid inefficient resource expenditure on useless patches.
What Is Not Yet Known / Limitations
Despite the increase in the number of vulnerabilities, the complexity of developing reliable exploits still requires human oversight, which limits the instantaneous realization of threats.
Sources
Author
Look at AI, Editorial Staff