there's too many vulnerabilities, and it's going to get worse fast

Added: 2026-05-11

[00:00:00]The National Vulnerability Database just officially gave up. Three weeks ago, they announced they're not going to be enriching most CVEes anymore, and they're moving to a triage model. THEY CANNOT KEEP UP with the massive surge in CVE submissions that we're seeing, which increased by 263% between 2020 and 2025. Nobody can keep up, and everyone we tell at work to address their laundry list of vulnerabilities cannot keep up. The question is why the increase in CVEEs AI, right? Probably maybe. Let's look into the data. I want to go over what we're experiencing in the world of CVEEs right now and then give you three compelling theories as to why we're seeing what we're seeing. So, in the last 3 weeks, three major bugs have landed on my for you page and and my radar. The GitHub rce found by Whiz Research where a single git push gets arbitrary code on GitHub's back end.

[00:01:00]Copy fail. A 732-bit Python script gets you roots on essentially all Linux distros. Now, this one was found by Tayang Lee. I probably butchered that. A vulnerability researcher at a security offensive firm, Theory. Now, this one's interesting because it was found using an AI powered offensive tool. And now, just a few days ago, only 2 weeks after the copy fail vulnerability WAS FOUND, JOURNEY FRAG was added to the mix. It was found by an independent researcher, Hay Hayun Wu Kim. Same outcome, getting root on the system on basically every DRO. But this one has an interesting embargo break. An embargo being a voluntary agreement among security researchers, Linux kernel maintainers and distribution vendors like Red Hat, Ubuntu and Suzu Suzie 9 SUSA voluntary agreement to keep a vulnerability secret for a set period so that way a patch can be released because somebody reverse engineered the upstream fix commit. The exploit was released before the patch.

[00:02:05]Now, there's also some other noteworthy ones just in 2026 alone. Cisco Firewall Management Center in January. Fordet shipped critical rce. Ivante EPMMM got a couple. Microsoft always has a ton.

[00:02:17]In the last 30 days alone, Defender's Blue Hammer LP, an exploited SharePoint bug, and a Windows shell coercion flaw.

[00:02:24]I could keep going, but that is the list of actively exploited vulnerabilities.

[00:02:29]Let's look at the actual numbers of CVEes over the past few years. In 2024, we had 40,000 published CVEes. That was a 38% jump from 2023. In 2025, we had 48,000 CVEes, another 20% jump. And in 2026, we have a projected 70,000 CVEes.

[00:02:50]That's a 45% growth rate. Total submissions are going up at an alarming rate since 2020. Even worse if we go back further.

[00:03:00]>> No.

[00:03:03]And the universal system that cataloges and analyzes these, the National Vulnerability Database at NIST, is crying uncle. They're throwing in the towel. They're raising up the white flag. On April 15th, 2026, they formally announced that they're moving to a triage riskbased model, meaning that only the most important CVEes get enriched first and then maybe the rest.

[00:03:29]Eh, they reclassified 29,000 CVEes as not scheduled, effectively dropping them entirely. In going forward, they're going to try and enrich 15 to 20% as much as they can of incoming CVEes. What exactly is the enrichment doing, you might ask? Every major vulnerability scanner, patch management platform, and compliance reporting tool in the enterprise security market was set up around the assumption that enrichment was being done on the published CVEes. A CVE without CPE data is from the perspective of most vulnerability scanners effectively invisible. It won't detect the vulnerabilities. Now, the Federal Vulnerability Database is officially only going to fully analyze one in five CVEes, a system that effectively every security team in the country relies on. It gets worse. NIST will only enrich a CVE if one of the following is true. The vulnerability is already on SIZA's known exploited vulnerabilities Kev catalog which is only a list of known publicly exploited vulnerabilities. The vulnerability affects software used by US federal government systems. This includes Microsoft, Google, Adobe, Oracle, the big players. Or lastly, the vulnerability involves critical software that's outlined by the executive order 14028. Again, that's protecting the government. Now, the software that falls outside of that criteria is open-source infrastructure. Now, that's not really including Linux distros, which do fall under the executive order in one way or another. It's more things like npm or NodeJS. And wouldn't you know it, 70 to 90% of all software is open- source. And whether that falls into any of the three criteria to enrich is anyone's guess at this point. Imagine a world where you don't have the ability to identify critical vulnerabilities. That's a very real possibility if CVEes continue to grow at the rate they're going. And the biggest issue in my opinion with the new prioritization model is that focusing on CVEEs with known public exploits allows hackers with AI tools to find exploits and vulnerabilities that aren't publicly announced yet and more importantly don't have patches available yet. According to Google's MTS 2026 report, the meanantime to exploit newly disclosed vulnerabilities has dropped to an estimated negative 7 days. Exploitation is occurring before a patch is released.

[00:05:59]In 2020, the average time to a working exploit was 745 days. There's just too many vulnerabilities and not enough manpower to address them all. We need more manpower, more robots. We need I need a hero.

[00:06:15]>> So what's actually driving this exponential growth in CVEes? There are three main theories. Theory one, AI generated code has more bugs. This is fact. 41% of code being shipped right now is AI generated. As of 2024, 256 billion lines of AI generated code already exists. And AI generated code has 2.7 times higher vulnerability density than human code. and is now adding more than 10,000 security findings a month, a 10 times jump from December of 2024. Theory 2, AI is finding more bugs than humans ever could. AI vulnerability reports are up 200%. As we head into 2026, as of last month, prompt injection reports were up by 540%. And theory 3, there's just more code being crapped out into the world.

[00:07:05]Now, this might be the biggest driving factor. GitHub commits hit 1 billion in 2025. They're now hitting 275 million commits a week, which is projecting us to about 14 billion commits in 2026.

[00:07:19]That is a 14x increase from last year.

[00:07:22]36 million new developers joined GitHub in the past year alone. That's one new developer per second. More code, more attack surface, more bugs. It's simple math. So, which is it? Well, it's all three, but they're in different proportions. They're all adding to the storm, the mess that we're seeing.

[00:07:41]So, what everyone's probably thinking is AI is causing this massive spike. And honestly, the biggest driving factor is just more code. But the most concerning part of this all is not the amount of new code in the world. It is the fact that AI is shrinking the time between fix and exploit. Whether or not we can actually patch vulnerabilities fast enough before they're exploited. Now, in one of my next videos, I'm going to go into a massive rabbit hole that is cloud mythos and GPT's 5.5 5.4 cyber both released recently what their internal evaluation showed about autonomous vulnerability to exploit discovery, which is one of the scariest things that cyber security professionals are facing right now. Here's what I'm thinking.

[00:08:25]Once these two models are fully released, it's not going to be when the game changed. Their announcement is simply public proof that the game has already changed and the actual shift happened years ago. The iceberg of has been there for a while now.

[00:08:41]Subscribe so you don't miss it.