Every year we publish the Edgescan Vulnerability Statistics Report. Every year, some of the findings surprise us. And every year, some of them don’t, which is its own kind of problem.
The 2026 edition is the 11th. It draws on thousands of penetration tests and security assessments conducted globally throughout 2025, across hundreds of organisations and dozens of industries. Here is a taste of what it found.
The volume problem is getting worse
In 2025, 48,185 CVEs were published. A new record. The CISA Known Exploited Vulnerabilities catalog grew to 1,484 entries, with 246 added during the year alone.
Nobody is patching all of those. The organisations that manage risk well are not trying to. They are identifying which vulnerabilities represent real, immediate risk to their specific environment and closing those first. The ones that struggle are still triaging noise.
The volume of CVEs is not going to decrease. What has to change is how organisations respond to it.
The remediation gap
Detection is only part of the problem. The other part is what happens after something is found.
For high and critical severity application and API vulnerabilities, the average mean time to remediate in 2025 was 54.81 days. That number looks very different when you break it down by industry, by vulnerability type, and by exploit likelihood. Some of those breakdowns are encouraging. Others are not.
The full picture is in the report.
What is actually being exploited
Not every open vulnerability carries the same weight. The report identifies which ones are linked to active ransomware campaigns, which have publicly available exploit code, and which are being weaponised within hours of disclosure.
It also tracks vulnerability age across the full stack, and what it reveals about the two parallel challenges most security teams are quietly dealing with: responding fast enough to what is new, and finally closing out what has been sitting open for years.
Why it matters
The threat landscape is not abstract. It is measurable. Remediation performance is measurable. Risk concentration is measurable. The 2026 Vulnerability Statistics Report gives security teams the data to make better decisions, faster.
Download the full report for the complete findings, including MTTR by industry, severity dispersion across the stack, PCI failure analysis, and the vulnerabilities most commonly missed by automated scanning alone.
