Skip to content

jgamblin/FirstForecast

BranchesTags

Repository files navigation

CVE 2026 Half-Year Forecast Update

How It's Going: Comparing the February 2026 FIRST.org Vulnerability Forecast against actual CVE publication data (January–April 2026).

Live Report

View the full report →

Key Findings

Metric Value
Cumulative drift (Jan–Apr) +46.3% above forecast
MAPE 30.6%
Excess CVEs vs. forecast +6,419
Revised 2026 projection 65,632 (vs. baseline 43,757)

What's Driving the Overshoot

  • GitHub Security Advisories (GHSA): +449% YoY — expanded curation team + CVE ID backfill campaign
  • VulnCheck (CNA of Last Resort): +3,119% YoY — absorbing unassigned vulnerability backlog
  • AI-Assisted Discovery: Mozilla +164% YoY in Q1 (47 → 124 CVEs), driven by Anthropic's Project Glasswing (Claude Opus 4.6 and Mythos Preview autonomously finding Firefox bugs)

What's Declining

  • Patchstack: −43% — reduced WordPress plugin disclosure volume
  • MITRE: −29% — product-specific CNAs now assign their own IDs
  • @huntr_ai: −91% — apparent operational pause

Blog Visualizations

Publication-ready charts (300 dpi PNG) for the FIRST.org halftime blog post are in assets/blog_images/:

File Description
cpe_explosion.png NVD CPE catalog growth, 2018–2026 H1
rain_vs_flood.png Total CVE volume vs. actionable burden (6.5% rate)
epochal_shift.png Feb 2026 forecast vs. observed actuals + ES projection
mozilla_cna_spike.png Mozilla CNA quarterly disclosures, 2024–2026 (+164% Q1 YoY)

Methodology

  • Data source: CVE Program cvelistV5 (local mirror, 206,230 records parsed)
  • Actuals: Jan–Apr 2026 from cvelistV5 (datePublished, state=PUBLISHED)
  • Model: ExponentialSmoothing via Darts, trained on daily publication counts 2020–2026 (AutoARIMA unavailable on Python 3.14 — no statsforecast wheel)
  • Exploitability threshold: CISA KEV (≤ May 1 2026, 1,587 entries) OR EPSS > 10% (May 1 2026 snapshot, 329,934 CVEs scored)
  • Ingestion: Multi-process parallel JSON parsing (~17s for 206K files)
  • Outlier detection: Z-score on daily counts (Jan–Apr 2026 window)
  • Data cutoff: May 1, 2026 for all three datasets (CVE corpus, KEV, EPSS) for reproducibility

Scripts

Script Purpose
cve_forecast_halftime.py Ingest cvelistV5, compare actuals vs. Feb forecast, generate ES projection
exploitability_overlay.py GitHub_M + VulnCheck volume vs. actionable burden analysis
generate_blog_visuals.py Generate the four 300 dpi PNG charts

Running Locally

pip install u8darts pandas numpy matplotlib tqdm
python cve_forecast_halftime.py
python exploitability_overlay.py
python generate_blog_visuals.py

Requires a local clone of cvelistV5 at ~/data/cvelistV5/ and EPSS/KEV snapshots at ~/Data/KEV/.

References

License

Apache 2.0

About

FirstForecastWork

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages