Three years. That is how long it took for monthly CVE discovery to nearly triple.
In June 2023 there were about 2,200 new vulnerabilities reported per month. Today, June 2026, that number sits above 6,100 and climbing. The annual totals confirm the trend, AI has shifted the discovery and exploitation momentum. This is not drift. It is a step-function change. And AI is behind most of it, from two directions at once.
What the Numbers Actually Say
Before attributing everything to AI, two separate forces are driving this surge, and they are not the same thing.
The first is AI-powered discovery tools, autonomous security agents, and AI-assisted fuzzing have cut the time required to identify exploitable conditions from months to hours. Researchers and threat actors now run the same acceleration playbook.
The second is AI-generated code. Code ships at a pace no human team could match, and it ships with bugs. Research from the Cloud Security Alliance documents the pattern of AI-assisted developers committing code at three to four times the rate of non-AI peers, and monthly security findings in those environments rose from approximately 1,000 to more than 10,000 over six months.
Two phenomena. One CVE database.
The Four Milestones That Shaped This Surge
June 2023: AI Code Assistants Hit Critical Mass
By mid-2023, GitHub Copilot had passed one million paid subscribers. GPT-4 was available via API. Claude was in widespread enterprise use. AI-assisted development had arrived. Security teams were still calibrating to what that meant for their attack surface.
Developers shipped faster, code review bottlenecks widened, and the assumption that human review would catch security issues before production became increasingly impossible.
February 2024: Expanded Reporting and AI Code Bugs Surface Together
February 2024 brought two converging signals. The Linux Kernel became its own CVE Numbering Authority, expanding the volume of officially reported CVEs and contributing to the 38% year-over-year jump. So some of the 2024 spike reflects expanded reporting scope, not purely new vulnerability creation.
At the same time, the AI-generated code signal became undeniable. AI coding tools had been mainstream long enough for vulnerabilities born from that code to age into public disclosure timelines. The pipeline was filling.
January 2025: Vibe Coding Goes Mainstream
January 2025 set a single-month record: 4,278 CVEs published in 31 days. The same month, Microsoft’s Patch Tuesday hit a record 206 CVEs, and Dark Reading directly attributed the spike to AI.
This period also marked when vibe coding shifted from niche productivity hack to standard practice. Developers describe intent to an AI, accept the generated output with minimal review, and ship. The CSA showed that security debt from AI-generated code is measurable and now showing up in CVE databases at scale.
The full-year 2025 total of 48,185 CVEs averages to 131 per day. That, unfortunately, became the new average not a peak.
January 2026: Agentic AI Coding Becomes Standard Practice
Q1 2026 came in 33% above Q1 2025. Agentic AI coding systems, tools that write, test, and submit code autonomously, moved from early adopter status to standard practice during this period. The compound effect is now visible with more AI-generated code in production, more AI-powered scanning, more CVEs on both ends of the pipeline.
Partial Q2 2026 data shows the pace continuing to accelerate, with discovery rates near 192 CVEs per day in early April.
The Exploitation Window Is Collapsing Too
Volume is only half the problem. The other half is speed.
Research from the Cloud Security Alliance documents what they call the collapsing exploit window. The time between CVE disclosure and a working exploit being weaponized is shrinking because AI accelerates that process too. A vulnerability that would have taken a sophisticated threat actor weeks to weaponize can now be analyzed and exploited in hours using the same AI tools your developers use to write code.
Your developers and the attackers are both pulling from the same toolbox. Unfortunately the bad guys don’t have the same rules.
The raw CVE count understates the actual risk increase for this reason. Volume is up. The window to act is down. Both are moving in the wrong direction at the same time.
What This Means for Your Security Program
The math works against you now. A vulnerability management program that couldn’t process 2,200 new CVEs per month is exponentially slowed that it actually needs in 2026. If the current trajectory holds we will never catch up.
Three things your program needs to close it:
Risk-based prioritization, not CVSS queues. With 6,000-plus CVEs per month, manual triage cannot keep up. You need scoring that factors in real-world exploitability, asset exposure, business criticality, and active threat actor behavior. Platforms like Zest Security, Tenable One, Qualys TruRisk, and Rapid7 InsightVM have moved in this direction. Teams still running pure CVSS-based queues are losing ground faster than the numbers suggest.
AI-assisted discovery of your own vulnerabilities. If attackers use AI to find vulnerabilities at scale, the question for your team is whether you are using it offensively before public disclosure. Red teams and security engineers with AI-powered fuzzing and code analysis tools can surface vulnerabilities in your own environment ahead of the disclosure curve. The organizations doing this get ahead of CVEs rather than chasing them.
Developer security training built for AI-generated code. The CSA data on AI-generated code defect rates argues for integrating security checks into AI-assisted workflows, not treating security as a downstream function. Shift-left remains the right approach. It just needs to account for the fact that left now includes AI code generation, and that the volume of code being generated has changed what human review can realistically catch.
FAQ
Why are CVE numbers increasing so fast?
Two forces are compounding each other. AI-powered vulnerability discovery tools have cut detection time from months to hours. At the same time, AI-generated code ships with a higher defect density than code written with traditional workflows. More vulnerabilities are being created and found faster simultaneously.
Is the CVE surge a reporting artifact or a real increase in vulnerabilities?
Both. The addition of new CVE Numbering Authorities, like the Linux Kernel in February 2024, expanded what gets officially reported and inflated 2024 numbers somewhat. But AI-generated code vulnerabilities and AI-accelerated discovery represent genuine increases in the underlying attack surface, not just improved counting.
What is vibe coding and why does it matter for security?
Vibe coding refers to building software by describing intent to an AI and accepting the generated output without deep manual review. Development speed goes up. Code review depth goes down. AI code generation tools produce higher defect rates than traditional development, and when review is light, those defects reach production. The security debt accumulates faster than most teams realize until it appears in vulnerability databases.
How should security teams adjust their vulnerability management programs?
The first priority is moving from CVSS-based severity queues to risk-based prioritization that reflects real-world exploitability. Beyond triage, teams benefit from using AI-powered scanning to find their own vulnerabilities before public disclosure, and from integrating security checks into AI-assisted development workflows rather than treating security as a downstream audit.
Will CVE volume keep growing?
The structural drivers, AI code generation and AI-powered discovery, are both accelerating. The HelpNetSecurity 2026 CVE forecast puts the year-end total near 66,000. Without integrating security into AI-assisted development workflows at scale, the volume trajectory is unlikely to flatten soon.
The Bottom Line
The 178% increase in monthly CVE discovery over three years reflects a structural change in how software is written and how vulnerabilities are found. Both sides are now AI-driven. Neither is slowing.
Security programs built for the 2022 threat landscape are already underpowered for 2026. The organizations closing that gap treat AI as a core operational tool for security, not a subject to monitor from a distance. Contact us to build a security practice that can keep up.
Note: Monthly CVE figures are estimated from confirmed annual totals (NVD/MITRE) and partial period data. Annual totals for 2023, 2024, and 2025 are sourced from public CVE databases. 2026 figures reflect confirmed Q1 data and partial Q2 data as of June 2026.
Sources
• Over 40,000 CVEs Published in 2024, Marking a 38% Increase from 2023 — Cyberpress (https://cyberpress.org/over-40000-cves-published-in-2024/)
• 2025: The Year Vulnerabilities Broke Every Record — Maze (https://mazehq.com/blog/2025-wrapped-the-year-vulnerabilities-broke-every-record)
• Blame AI: Patch Tuesday Hits Record 206 CVEs — Dark Reading (https://www.darkreading.com/vulnerabilities-threats/blame-ai-patch-tuesday-record-206-cves)
• AI-Generated Code Vulnerability Surge — Cloud Security Alliance (https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-generated-code-vulnerability-surge-2026/)
• The Collapsing Exploit Window — Cloud Security Alliance (https://labs.cloudsecurityalliance.org/research/csa-whitepaper-collapsing-exploit-window-ai-speed-vulnerabil/)
• The Vulnerability Landscape in Q1 2026 — Securelist (https://securelist.com/vulnerabilities-and-exploits-in-q1-2026/119733/)
• CVE Surge: Why the Record Rise in New Vulnerabilities? — YesWeHack (https://www.yeswehack.com/news/cve-surge-record-jump-vulnerabilities/)
• Vulnerability Statistics 2025: Record CVE Surge — DeepStrike (https://deepstrike.io/blog/vulnerability-statistics-2025)
• 2026 CVE Forecast — HelpNetSecurity (https://www.helpnetsecurity.com/2026/06/15/first-2026-cve-forecast/)
Get Started Today
Cloud Security Pros tracks the AI security landscape as it develops. Contact us to build your AI ready security program today. And subscribe to stay current on what this means for cloud security programs as the picture continues to evolve.
