{"uuid": "88dd323e-6506-4ecc-abc7-a23666df333d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48558", "type": "seen", "source": "https://www.jerrygamblin.com/2026/07/01/3528/", "content": "We are halfway through 2026, so it is time for the mid-year CVE check-in. The short version: the volume curve has gone vertical while exploitation has not. This review covers everything published in the first half of 2026 (Jan 1 &#8211; Jun 30, 2026), the volume, the severity, what is actually being exploited, and who is driving the numbers, all measured against the same elapsed window a year ago so a partial half is never compared to a full one.\n\n\n\n\nTL;DR\n\n\n\n\nThe first half of 2026 produced 35,364 CVEs, more in six months than any full year before 2024 (all of 2023 finished at 28,817).&nbsp;That works out to one new CVE every&nbsp;7.4 minutes, an increase of&nbsp;49.5%&nbsp;over the same window in 2025 (23,656). And yet only&nbsp;85 of them (0.24%)&nbsp;have made CISA&#8217;s KEV list so far, a floor that will rise as the cohort ages and exploitation is confirmed. That gap is the story of 2026 so far: we are minting CVEs faster than ever while confirmed exploitation stays rare, so the hard problem is signal-to-noise, not patch volume.\n\n\n\n\nAt this pace the year projects to roughly&nbsp;71,314 to 72,008, and the all-time catalog has now passed&nbsp;344,258 CVEs&nbsp;since 1999.\n\n\n\n\n\n\nNote: All statistics in this report exclude rejected CVEs to provide an accurate count of active vulnerabilities.\n\n\n\n\n\nKey Statistics at a Glance\n\n\n\n\n\nMetricValueTotal CVEs (H1 2026)35,364CVEs per Day195.4Change vs same window 2025+49.5%Projected Full Year71,314 &#8211; 72,008Critical Severity3,554High Severity13,821Average CVSS Score6.89CVSS Coverage94.3%CWE Coverage95.6%Active CNAs340Rejected CVEs (H1 2026)1,265Already Known-Exploited (KEV)85\n\n\n\n\n\n\n\n\n\nH1-over-H1: Three Years Side by Side\n\n\n\n\nTo keep the comparison honest while 2026 is still in progress, each year is measured over the identical window (January 1 through Jun 30).\n\n\n\n\n\nWindowCVEsPer DayAvg CVSSJan 1 &#8211; Jun 30, 202420,374112.66.65Jan 1 &#8211; Jun 30, 202523,656130.76.57Jan 1 &#8211; Jun 30, 202635,364195.46.89\n\n\n\n\n\n\n\n\n\nForecast Scorecard: Are We On Pace?\n\n\n\n\nAt&nbsp;195.4 CVEs/day, two straight-line methods land close to each other (both are simple extrapolations of the same H1 run, so this is a sanity check, not two truly independent signals): the run-rate extrapolates to&nbsp;71,314, and a seasonality-adjusted estimate (scaling the pace across the full half, then dividing by 2025&#8217;s 49% first-half share) to&nbsp;72,008.\n\n\n\n\nCVEForecast, one of my own RogoLabs tools, projects\u00a090,831 CVEs\u00a0for full-year 2026 (LinearRegression, MAPE 17.9), so I am partly arguing with my own model here. That is\u00a018,823 above\u00a0the top of the straight-line range, and here is where I will plant a flag:\u00a0I think the model is high.\u00a0Both simple extrapolations land near 72,008, and the forecast&#8217;s entire gap to them rests on a heavy second-half surge that still has to show up.\u00a0My call is the year closes nearer 72,008 than 90,831.\u00a0I will happily eat those words in the December review if H2 accelerates the way the model expects, but the burden of proof is on the surge.\n\n\n\n\n\n\n\n\n\nWhat Changed in H1 2026\n\n\n\n\nGitHub Security Advisories&nbsp;is the busiest CNA at&nbsp;6,801&nbsp;assignments. New to the most-affected product list this year:&nbsp;Chrome, OpenClaw. Among weakness types,&nbsp;CWE-862&nbsp;(Missing Authorization) climbed to #2 in the top five.\n\n\n\n\nSpotlight: OpenClaw.&nbsp;A project that barely existed a year ago, OpenClaw (Peter Steinberger&#8217;s viral local AI agent, the subject of&nbsp;Lex Fridman Podcast #491) is already one of the most-reported products of the half with&nbsp;537 CVEs. The striking part is who is doing the reporting:&nbsp;VulnCheck alone assigned 500&nbsp;of them (93%), disclosed steadily across the half rather than in a single dump. That concentration says more about researcher attention than code quality: VulnCheck, whose remit is emerging and exploited-in-the-wild threats, is exactly the kind of team that systematically covers a fast-growing new target, and concentrated third-party research on a hot AI agent is the coverage you would want. To its credit the project embraced the CVE lifecycle itself, issuing advisories through GitHub as reports came in. I track its CVEs at&nbsp;OpenClawCVEs.\n\n\n\n\n\n\n\n\n\nHistorical CVE Growth\n\n\n\n\nTo compare like with like, this chart counts only the first half of every year (January 1 through Jun 30). On that basis 2026 already stands taller than any prior first half: more CVEs in six months than the same window has ever produced.\n\n\n\n\n\n\n\n\n\nFirst-half growth has been relentless, and 2026 is&nbsp;+49.5%&nbsp;on the first half of 2025.\n\n\n\n\n\n\n\n\n\nCounting full years, the cumulative catalog has now passed&nbsp;344,258 CVEs.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nMonthly Distribution (H1 2026)\n\n\n\n\nCVE publications varied across the first half of 2026, with&nbsp;Jun&nbsp;being the peak month at&nbsp;7,454 CVEs.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nPublication Patterns by Day of Week\n\n\n\n\nPublishing clusters midweek.&nbsp;Wednesday&nbsp;is the busiest day at&nbsp;7,943 CVEs, with Tuesday close behind at&nbsp;7,216. Patch Tuesday is part of the story, but the midweek bulge owes as much to the high-volume CNAs (GitHub, Linux, the WordPress plugin crowd) that batch-publish midweek.\n\n\n\n\n\n\n\n\n\nWeekdays average&nbsp;6,517&nbsp;CVEs against just&nbsp;1,389&nbsp;on weekends.\n\n\n\n\n\n\n\n\n\nBusiest Days of H1 2026\n\n\n\n\nSome days saw massive spikes in CVE publications:\n\n\n\n\n\n\n\n\n\nTop 5 Busiest Days\n\n\n\n\n\nRankDateCVE Count12026-06-0974722026-06-1773232026-05-2771642026-03-2560652026-05-12554\n\n\n\n\n\n\n\n\n\nCVSS Score Analysis\n\n\n\n\nThe Common Vulnerability Scoring System (CVSS) helps standardize severity assessments. Here&#8217;s how H1 2026 CVEs were distributed across the scoring range.\n\n\n\n\n\n\n\n\n\nThe&nbsp;average CVSS score for H1 2026 was 6.89, with a&nbsp;median of 7.10.\n\n\n\n\nSeverity Breakdown\n\n\n\n\n\nSeverityCountPercentageCritical3,55410.0%High13,82139.1%Medium14,48541.0%Low3,0568.6%Unscored4481.3%\n\n\n\n\nPercentages are of all H1 2026 CVEs; &#8220;Unscored&#8221; are the 1.3% with no CVSS severity assigned.\n\n\n\n\n\n\n\n\n\nCVSS Trends Over Time\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nTop Weakness Types (CWE)\n\n\n\n\nThe Common Weakness Enumeration (CWE) categorizes the types of security weaknesses. Here are the most prevalent weakness types in H1 2026:\n\n\n\n\n\n\n\n\n\nTop 5 CWEs in H1 2026\n\n\n\n\n\nRankCWENameCount1CWE-79XSS3,7832CWE-862Missing Authorization1,7043CWE-89SQL Injection1,4454CWE-22Path Traversal1,2645CWE-416Use After Free1,037\n\n\n\n\n\n\n\n\n\nCVE Numbering Authorities (CNAs)\n\n\n\n\nThe leaderboard increasingly reflects where modern software and modern vulnerability research live: platform and ecosystem CNAs (GitHub, Patchstack) and dedicated research CNAs (VulnCheck, VulDB) alongside the traditional product vendors. High assignment counts are not inflation, a CNA covering the WordPress plugin ecosystem or issuing a CVE per kernel fix is doing exactly its job; the low KEV overlap below reflects how rare confirmed exploitation is across all sources, not the validity of any CNA&#8217;s records. The most active assigners this year:\n\n\n\n\n\n\n\n\n\nTop 5 CNAs in H1 2026\n\n\n\n\n\nRankCNACVEs Assigned1GitHub Security Advisories6,8012VulDB3,3193VulnCheck3,2734Patchstack2,7045Linux2,564\n\n\n\n\nIn total,&nbsp;340 unique CNAs&nbsp;assigned CVEs in H1 2026.\n\n\n\n\n\n\n\n\n\nTop Vendors\n\n\n\n\nThe vendors with the most CVEs attributed to their products this year (each links to its NVD search):\n\n\n\n\n\n\n\n\n\nTop 5 Vendors in H1 2026\n\n\n\n\n\nRankVendorCVE Count1Linux2,5642Google1,8013Microsoft8644OpenClaw5375Oracle445\n\n\n\n\n\n\n\n\n\nMost Vulnerable Products\n\n\n\n\nDrilling past vendors to specific products, the H1 2026 leaders:\n\n\n\n\n\n\n\n\n\nTop 5 Products\n\n\n\n\n\nRankProductCVE Count1Linux Kernel1,9562Chrome1,2033OpenClaw5344Windows 103725Android303\n\n\n\n\nProduct-level counts can differ slightly from the vendor totals above: a vendor&#8217;s CVEs may span several products, and a single CVE can name more than one.\n\n\n\n\n\n\n\n\n\nKnown-Exploited Vulnerabilities (CISA KEV)\n\n\n\n\nVolume is the headline, but exploitation is what should actually drive patching. Of the&nbsp;35,364&nbsp;CVEs published in H1 2026, only&nbsp;85&nbsp;(0.24%) have shown up in the&nbsp;CISA KEV catalog&nbsp;so far. Treat that as a floor, not a verdict: KEV is a US-government catalog that lags disclosure by months and records only confirmed, observed exploitation, so this share will climb as the 2026 cohort ages. Even so, the signal holds, most CVEs are not known-exploited, so exploitability (KEV plus a forward-looking score like EPSS) beats chasing raw counts.\n\n\n\n\nNote these are two different populations: the&nbsp;85&nbsp;above are H1-2026-published&nbsp;CVEs already in KEV, while CISA&nbsp;added&nbsp;146&nbsp;entries to KEV during the half (more than the&nbsp;132&nbsp;added in the same window of 2025, many of them older CVEs newly exploited), and&nbsp;17&nbsp;of those additions are tied to known ransomware campaigns.\n\n\n\n\nH1 2026 CVEs Already in KEV\n\n\n\n\nA sample (5 most recent of 85):\n\n\n\n\n\nCVEVendorProductAddedRansomwareCVE-2026-48558SimplehelpSimpleHelp2026-06-29NoCVE-2026-20230CiscoUnified Communications Manager2026-06-25NoCVE-2026-12569PtcWindchill and FlexPLM2026-06-25NoCVE-2025-67038LantronixEDS50002026-06-23NoCVE-2026-34910UbiquitiUniFi OS2026-06-23No\n\n\n\n\n\n\n\n\n\nData Quality\n\n\n\n\nNot all CVEs have complete metadata. Here&#8217;s how data quality has evolved over the years:\n\n\n\n\n\n\n\n\n\nH1 2026 Data Quality Metrics\n\n\n\n\n\nMetricCoverageCVSS Score94.3%CWE Classification95.6%CPE Identifiers59.0%\n\n\n\n\nThis is where two ideas from the&nbsp;CVE Decaf&nbsp;work I did with Jay Jacobs get practical:&nbsp;actionable data quality&nbsp;(judge a record by whether it is complete enough to act on, not by abstract completeness) and&nbsp;data provenance&nbsp;(knowing which source asserted each field). The CPE gap is the clearest case. At&nbsp;59.0% CPE coverage, nearly half of H1 2026 CVEs cannot be automatically matched to a product the day they publish, so for those records the answer to &#8220;can I act on this today?&#8221; is no, no matter how complete the rest of the entry looks. Scoring each record on its provenance (who supplied it) and on the fields that actually drive action (CPE for asset matching, KEV and EPSS for exploitability) is how you turn the raw feed into a measurable signal-to-noise ratio instead of a flat backlog.\n\n\n\n\n\n\n\n\n\nRejected CVEs\n\n\n\n\nNot all CVE IDs stay active. Some are rejected for duplicates, disputes, or invalid submissions, and the rejection rate is a useful read on the ecosystem&#8217;s quality control.\n\n\n\n\n\n\n\n\n\nH1 2026 Rejection Statistics\n\n\n\n\n\nMetricValueRejected CVEs in H1 20261,265H1 2026 Rejection Rate3.45%Total Rejected (All Time)17,648\n\n\n\n\nCVE rejections occur for several reasons:\n\n\n\n\n\n\nDuplicates: The same vulnerability assigned multiple CVE IDs\n\n\n\n\nDisputes: Vendor disagreement that the issue is a vulnerability\n\n\n\n\nInvalid: Not a security vulnerability or insufficient information\n\n\n\n\nWithdrawn: CVE withdrawn by the assigning CNA\n\n\n\n\n\n\n\n\n\n\nConclusions\n\n\n\n\nKey Takeaways from the First Half of 2026\n\n\n\n\n\n\nVolume keeps climbing: 35,364 CVEs in roughly six months, up 49.5% on the same window last year, with the full year projecting to 71,314-72,008.\n\n\n\n\nSeverity stays heavy: 17,375 CVEs (49.1%) are Critical or High.\n\n\n\n\nWeb and access-control flaws lead: XSS, Missing Authorization, SQL Injection, Path Traversal headline the CWE list. Memory-safety issues barely register in the top tier this half.\n\n\n\n\nThe CNA mix is shifting: platform teams and aggregators, not the original vendors, now top the assigner list, and the lineup reshuffled from a year ago.\n\n\n\n\nCoverage gaps persist: CVSS and CWE are well covered, but CPE sits at 59.0%, which still hampers automated matching.\n\n\n\n\nConfirmed exploitation stays rare (so far): just 85 of 35,364 H1 CVEs (0.24%) are in CISA KEV today, a floor that rises as the cohort ages. Volume is a triage problem, not a patch-everything problem.\n\n\n\n\n\nWhat this means for you\n\n\n\n\n\n\nIf you defend a network:&nbsp;do not let the raw count set your pace. Only&nbsp;0.24%&nbsp;of H1 CVEs are confirmed-exploited in KEV today, but KEV lags and is a floor, not the full risk picture. Lead with exploitability (KEV as a hard floor, EPSS with a threshold you pick), then weight by your own context: internet-facing and sensitive systems jump the queue regardless of score, and compliance SLAs (PCI, FedRAMP, and the like) still set hard clocks. Lower priority is not never, so park the rest in a managed cycle rather than ignoring it.\n\n\n\n\nIf you run a CNA:&nbsp;the leaderboard now runs through platforms, ecosystems, and research CNAs. Volume reflects scope, not padding; the differentiator that is still genuinely uneven is data quality, and the biggest gap, CPE coverage, is largely an NVD-side enrichment problem rather than a function of who assigned the CVE.\n\n\n\n\nIf you consume NVD data:&nbsp;enrichment is the bottleneck. CPE at 59.0% means nearly half of new CVEs lack a formal CPE, which complicates NVD-style automated matching (many CNAs still carry vendor/product strings), and volume only widens that gap.\n\n\n\n\n\nWhat I&#8217;m watching in H2\n\n\n\n\nMy call from the scorecard stands: 2026 closes nearer&nbsp;72,008&nbsp;than the&nbsp;90,831&nbsp;forecast. Two things would change my mind: a December disclosure surge bigger than 2025&#8217;s, or another OpenClaw-style project flooding the catalog. The year-end review settles it.\n\n\n\n\n\n\n\n\n\nMethodology and Reproducibility\n\n\n\n\nTwo primary data sources, plus two enrichment feeds:\n\n\n\n\n\n\nNVD JSON&nbsp;&#8211; National Vulnerability Database export from&nbsp;nvd.handsonhacking.org\n\n\n\n\nCVE List V5&nbsp;&#8211; Official CVE records from&nbsp;CVEProject/cvelistV5\n\n\n\n\nForecast\u00a0&#8211;\u00a0CVEForecast\u00a0full-year projection\n\n\n\n\nExploitation&nbsp;&#8211;&nbsp;CISA KEV catalog\n\n\n\n\n\nEverything here is reproducible. The full pipeline (Python, pandas, matplotlib) is on GitHub at\u00a0jgamblin/H12026CVEBlog, and it leans on the free CVE tooling I build at\u00a0RogoLabs:\u00a0cve.icu,\u00a0cnascorecard.org, and\u00a0cveforecast.org.\n\n\n\n\nData collected and analyzed on July 01, 2026.", "creation_timestamp": "2026-07-02T01:00:45.207118Z"}