The first quarter of 2026 produced roughly 10,600 new CVE identifiers, a modest increase over Q1 2025 and a continuation of the steady-rise pattern that has held for six years. The more interesting story is not the headline count but the composition: where the vulnerabilities came from, how quickly they were exploited, and which ecosystems absorbed the most of them. The shifts this quarter tell a coherent story about where attacker attention is moving, and defenders who read the trends carefully can reallocate their limited patching capacity accordingly.
This post walks through the data. We pull from the NVD, GitHub Advisory Database, and CISA's Known Exploited Vulnerabilities catalog, with some supplementary commercial feeds where the public data is thin. We flag methodology choices where they matter, because CVE statistics are easy to misinterpret and the surface temptation is to cherry-pick the chart that fits the narrative. The goal is a defensible quarterly snapshot, not a marketing graph.
How did publication volume trend?
Publication volume grew 6% year-over-year, with most of the increase concentrated in the JavaScript and Python ecosystems. Container base images and Kubernetes-adjacent tooling also contributed above their historical share. The raw count of critical-severity CVEs, CVSS 9.0 and above, held roughly flat at 1,180, which is slightly below the 2024-2025 quarterly average.
The more useful framing is the distribution of root causes. Memory-safety issues continued their slow decline as a share of total CVEs, dropping another two percentage points to about 21% of published vulnerabilities. Injection vulnerabilities, SQL, command, and template, remain sticky at about 14%, with no meaningful movement. The category that grew was authentication and authorization logic, now at 19% of total CVEs, up from 16% a year ago. That is consistent with a world where attackers target business logic because the classical unsafe-code categories are slowly being engineered out.
What happened with AI-specific CVEs?
AI-specific CVEs crossed a meaningful threshold in Q1 2026: 340 new identifiers tagged explicitly as affecting ML frameworks, inference servers, or model-specific tooling. This is up 58% year-over-year and represents about 3.2% of total CVE volume. The top categories within this bucket were prompt injection in production agents, unsafe deserialization in model-loading paths, and authentication gaps in inference gateways.
The most interesting pattern was that exploitation timelines for AI CVEs were notably shorter than average. Median time from publication to first observed exploitation, among the subset tracked by CISA KEV and commercial intelligence feeds, was 19 days for AI-category CVEs versus 43 days for the overall CVE population. Attackers appear to treat AI infrastructure as a softer target with higher-value payoff, and they are moving on disclosures faster. Organizations with exposed inference endpoints should assume their patch windows are compressed.
Which ecosystems carried the heaviest load?
The ecosystems carrying the heaviest load were npm, PyPI, and Go, in that order by CVE count but with interesting differences in severity distribution. npm had the highest raw volume at about 1,900 CVEs but the lowest median CVSS at 6.1, reflecting the long tail of low-impact findings that bulk-scanning tools surface. PyPI came in at 1,400 CVEs with a higher median CVSS of 7.3, driven in part by several high-impact disclosures in popular ML libraries. Go at 540 CVEs had a median CVSS of 6.8.
Container base images had a smaller CVE count of 310 but a much higher downstream blast radius because each CVE propagates to every image built on the affected base. A single high-severity OpenSSL CVE in a popular base image this quarter fanned out to an estimated 40 million active container images worldwide within days of disclosure. This remains the single most leveraged vulnerability class in the ecosystem, and it deserves proportional attention in your scanning and patching programs.
How fast did exploitation follow disclosure?
Exploitation followed disclosure faster this quarter than last, though the shift is concentrated in specific categories. The overall median time-to-exploit across KEV-tracked CVEs was 28 days, down from 34 days in Q1 2025. But the spread is bimodal: a small set of CVEs are exploited within days, and the rest take months or never. If you are not patching critical internet-exposed CVEs within a week of disclosure, you are operating inside the attacker's window for the high-value subset.
The other important data point: reachability matters enormously. Among the exploited CVEs tracked this quarter, about 91% affected code paths that were directly reachable from an exposed interface in typical deployments. The other 9% required an unusual configuration or a chained exploit. A prioritization model that weights reachability over raw CVSS continues to outperform a CVSS-only ranking by a wide margin, as it has for several years now.
What does this mean for 2026 Q2 planning?
For Q2 planning, three implications are hard to argue with. First, budget patching capacity for AI infrastructure CVEs with an assumption of a 20-day exploit window, not a 45-day window. Second, invest in reachability analysis if you have not already, because severity alone is no longer a defensible prioritization signal. Third, treat container base images as a higher-leverage asset than application-level dependencies and ensure your base image update cadence is faster than your application release cadence.
The meta-point is that CVE volume is not the interesting number anymore. The volume will keep rising, because more code is being written, more tools are finding issues, and more maintainers are assigning identifiers. The interesting numbers are the composition shifts and the exploitation timelines, both of which give defenders concrete levers to pull.
How Safeguard Helps
Safeguard is built around the insight that CVE counts are not prioritization. Reachability analysis runs against every SBOM we ingest, so you see the CVEs that actually matter for your deployed services, not the full noise of your package tree. Griffin AI correlates CVE publication with exploitation signal from CISA KEV and commercial feeds, surfacing the small set of issues inside the attacker's window. TPRM scores suppliers on their historical response time and patching posture, and our zero-day feed flags emerging AI infrastructure risks within hours of disclosure. Policy gates in CI block builds that introduce or retain critical reachable CVEs, turning the quarterly trend data into enforceable controls. You get the signal without the noise.