cvefloodline.org · vulnerability weather
AI-assisted bug hunting is driving the biggest surge in CVE volume on record. The share that is actually dangerous has barely moved. The river is running high; it is not over the levee. This gauge watches the line that matters: not how hard it is raining, but how high the water actually rises.
The surge is not a rumor; it is in the disclosure feeds. AI-assisted research turned up the rainfall rate, and the 2026 projection is ~66,000 CVEs, about 46% above the prior forecast.
No CVE here is labeled “AI-found.” The population curve simply bent when the tools arrived. (One CNA clearing an AI-surfaced backlog posted +3,119%.) About 9% of the total is phantom rain, old CVE IDs re-published, shown net below.
Of the whole storm, only a sliver ever tops the levee. One dot below is lit: the rough rate at which a new CVE turns dangerous.
The water crests slowly. Drag the slider: how many of the same cohorts cross at disclosure, and how many after maturing 30 days.
Re-scoring each cohort at 0, 7, and 30 days after disclosure: crossings per 1,000 CVEs. A fresh CVE usually scores low the day it lands; the danger surfaces over the following weeks. (The 90-day mark needs cohorts older than the window, so it appears once enough time has passed.)
Your triage capacity is fixed. It does not grow because disclosures did. The losing move is fighting the rainfall total. The winning move is watching the flood stage and sandbagging early: prioritize by EPSS as it climbs, patch what reaches CISA KEV first, and treat a fresh CVE's low score as provisional, not safe, risky precisely because its crest has not arrived. Watch the water rise; stack sandbags where it will come over.
The water that rises is rarely a surprise: the names you already brace for. Each climbed from a quiet EPSS score on disclosure day to a dangerous one within weeks.
This is a monitor, not a prophecy. Each day's cohort is scored against the dated, point-in-time EPSS archive, frozen as it stood that day, then re-measured at fixed horizons (0, 7, 30, and 90 days), so yesterday's CVEs are never judged by today's scores. If the dangerous subset ever starts tracking total volume, that is the flood arriving, and the gauge will show it.
Honest limits: EPSS is a modeled exploitation probability, not a verdict, and it lags genuinely novel bugs, so it is paired with CISA KEV (confirmed exploitation). KEV itself lags disclosure by months, which makes recent counts lower bounds. This is a population-level view, not the water at any one organization's door. None of it means new CVEs are safe to ignore.