Wow, the world is getting much faster at exploiting CVEs
> 67.2% of exploited CVEs in 2026 are zero-days, up from 16.1% in 2018
But the exploit rate (the pct of all published CVEs that are actually exploited in the wild) has dropped from a high of 2.11% in 2021 to 0.64% in 2026. Meaning we're either getting worse at exploitation (not likely) or reporting more obscure, pragmatically not-really-an-issue issues that can't be replicated IRL.
So we're in a weird situation:
The vast majority 99.4% of CVEs will never see the light of day as an actual attack. Lots of noise, and getting noisier.
But those that do will happen with increasing speed! So there are increased consequences for missing the signal.
Wow, the world is getting much faster at exploiting CVEs
> 67.2% of exploited CVEs in 2026 are zero-days, up from 16.1% in 2018
But the exploit rate (the pct of all published CVEs that are actually exploited in the wild) has dropped from a high of 2.11% in 2021 to 0.64% in 2026. Meaning we're either getting worse at exploitation (not likely) or reporting more obscure, pragmatically not-really-an-issue issues that can't be replicated IRL.
So we're in a weird situation:
The vast majority 99.4% of CVEs will never see the light of day as an actual attack. Lots of noise, and getting noisier.
But those that do will happen with increasing speed! So there are increased consequences for missing the signal.
Don't worry about it. But don't blink.