Thor provides an overview of the Q1 2026 vulnerability statistics, highlighting key trends in legacy CVEs and the evolving impact of AI on the threat landscape.
Thor provides an overview of the Q1 2026 vulnerability statistics, highlighting key trends in legacy CVEs and the evolving impact of AI on the threat landscape.
Welcome to this week’s edition of the Threat Source newsletter.  The first quarter of 2026 passed faster than a misconfigured firewall rule gets exploited — and the last few weeks have been firmly stamped with the "software supply chain compromise" label, with headlines surrounding incidents involving  Trivy , Checkmark ,  LiteLLM ,  telnyx  and  axios . This edition stays focused on vulnerability statistics, although you can view  Dave  and  Nick's  Talos blogs for more information about these incidents.  Known Exploited Vulnerabilities (KEVs) stayed roughly in line with 2025 numbers — no dramatic spike, but no room for relief either. What  does  stand out? Networking gear accounted for 20% of KEV-related vulnerabilities, and that number is expected to climb as the year progresses. If the trend from 2025 holds, this won't be the high-water mark. Patch management remains one of the industry's most persistent challenges, and I understand all the operational complexity that comes with it. That said, it still stings to come across CVEs with disclosure dates reaching back to 2009 — and roughly 25% of the CVEs we're tracking date to 2024 or earlier. Old vulnerabilities don't retire. They wait. It starts with visibility: Knowing what's actually running in your environment is the prerequisite for everything else. Overall CVE counts increased in Q1, with March showing the sharpest climb. Whether that reflects improved disclosure pipelines, increased researcher activity, ora genuine uptick in vulnerability density, the trend line from 2025 hasn't flattened — if anything, it's still pointing up.  Using the keyword methodology described  here , 121 CVEs with AI relevance were identified in Q1 — more than Q1 2025, though consistent with what adoption trends would predict. As AI components become more deeply embedded across the software stack, this number will keep climbing.  Given the recent developments with models like the Mythos preview and the industry teaming up in initiatives like  Project Glasswing , I'm curious how the trajectory will change moving forward. If you haven't read about it:  “During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so.” -   Anthropic Frontier Red Team That's a substantial capability jump in agentic coding and reasoning, which eventually needs to be implemented early in the development lifecycle. And as  Anthony  points out, those capabilities will becom