Q1 2026 Threat Landscape: Vulnerabilities and Exploit Trends

Welcome to our analysis of Q1 2026's cybersecurity landscape. In this report, we examine the latest statistics on registered vulnerabilities, exploitation patterns, and emerging threats. From continued abuse of legacy Office bugs to fresh exploits targeting Windows and Linux, the quarter saw significant activity. We also explore how AI agents are reshaping vulnerability discovery. Below, we answer key questions about these developments.

How did the total volume of vulnerabilities evolve in Q1 2026?

The overall number of registered vulnerabilities continued its upward trajectory, building on trends observed since 2022. Monthly CVE counts rose steadily, fuelled by increased automated scanning and disclosure. According to our data from cve.org, the total published vulnerabilities per month remained high, with AI-driven security tools accelerating the discovery of new flaws. This surge is expected to persist as more organizations adopt AI for routine security testing. While the raw numbers grow, the proportion of critical vulnerabilities (CVSS > 8.9) showed a slight dip compared to previous quarters, though an underlying upward trend remained clear. The end of 2025 saw several severe web framework vulnerabilities disclosed, setting the stage for Q1's activity. For a detailed breakdown, see our critical vulnerability analysis.

What drove the increase in critical vulnerabilities this quarter?

Although the count of critical vulnerabilities slightly decreased from the previous year, Q1 2026 still witnessed several high-impact issues. The primary drivers included the disclosure of React2Shell, a remote code execution vulnerability in the popular React framework, and the release of new exploit frameworks targeting mobile platforms. Additionally, as security teams patched known flaws, researchers often uncovered secondary vulnerabilities in the same components during remediation. This chain reaction kept critical disclosures flowing. If our hypothesis holds, Q2 2026 should see a significant decline in critical CVEs, mimicking the pattern observed in 2025. However, the persistent activity around zero-day discoveries and AI-assisted scanning may sustain the elevated numbers.

Which veteran vulnerabilities remained most exploited?

Despite years of patches, several older flaws continued to dominate detection logs. The most active veteran exploits targeted the Microsoft Office Equation Editor component: CVE-2018-0802 and CVE-2017-11882 both allow remote code execution and remain favorite entry points for threat actors. CVE-2017-0199, affecting Office and WordPad, also persisted. Outside of Office, CVE-2023-38831 (improper archive handling) and two directory traversal issues CVE-2025-6218 and CVE-2025-8088 were frequently exploited. These vulnerabilities share a common trait: they target fundamental file parsing or extraction logic, making them resilient to partial fixes. Organizations that delay patching these legacy issues remain at high risk. For a full list and mitigation tips, jump to new exploits.

What new exploits emerged in Q1 2026?

Threat actor toolkits expanded with exploits for recently registered vulnerabilities, particularly in the Microsoft Office platform and Windows operating system components. Among the newcomers, we observed weaponization of flaws that allowed remote code execution via crafted documents, as well as local privilege escalation through kernel bugs. Some of these exploits have already been integrated into mainstream exploit kits. Notably, CVE-2025-8088 and CVE-2025-6218, though classified as veterans above, were first disclosed in 2025 and continued to see fresh exploitation in Q1. The rapid adoption of these new exploits underscores the importance of a proactive patch management strategy. C2 frameworks also updated their payloads to include these vulnerabilities, enabling broader use in targeted attacks.

How are AI agents influencing vulnerability discovery?

AI and machine learning tools are playing an increasingly central role in both defensive and offensive security research. In Q1 2026, several prominent bug bounty programs reported a surge in submissions from AI-assisted scanners. These agents can analyze source code and binary patterns at scale, identifying potential vulnerabilities that human researchers might overlook. While this accelerates the discovery and responsible disclosure of issues, it also lowers the barrier for malicious actors who can deploy similar tools for zero-day hunting. The net effect is a continued upward trend in CVE registrations. As AI agents become more sophisticated, we expect the pace of vulnerability disclosure to accelerate further, reshaping the threat landscape in the quarters ahead.

What is the expected outlook for Q2 2026?

Based on current data and historical patterns, Q2 2026 is likely to see a decline in critical vulnerability disclosures, particularly if the factors that spiked Q1 (e.g., React2Shell and mobile exploit frameworks) recede. However, the baseline volume of new CVEs will remain high due to persistent AI-assisted discovery. Exploitation of the veteran Office bugs is not expected to wane, as many organizations still run unpatched versions. We also anticipate increased targeting of cloud-native and Linux environments, following the Q1 trend of expanded Linux exploits. Security teams should prioritize patching legacy Equation Editor vulnerabilities and monitor for exploits leveraging directory traversal flaws. The full picture will become clearer as Q2 progresses and new CVE disclosures are published.