Q1 2026 Exploits and Vulnerabilities: A Comprehensive Q&A
In the first quarter of 2026, threat actors expanded their arsenal with new exploits targeting Microsoft Office, Windows, and Linux systems. This Q&A delves into the statistics on published vulnerabilities, exploitation trends, and the key CVEs that dominated the landscape. Based on data from cve.org and telemetry from security firms, we explore how AI is accelerating vulnerability discovery, why critical vulnerabilities saw a slight dip but remain on an upward trend, and which veteran exploits continue to be favored by attackers. We also highlight the emergence of new exploits like React2Shell and mobile exploit frameworks.
1. What was the overall trend in vulnerability registrations during Q1 2026?
The total number of registered CVEs continued its upward trajectory in Q1 2026. Data from cve.org shows that the volume of vulnerabilities published each month has been steadily increasing since January 2022. This growth is expected to accelerate further as AI agents are increasingly used to automatically discover security flaws. While the exact figures for Q1 2026 are detailed in the downloadable dataset, the trend aligns with a broader pattern of expanding attack surfaces. The rise is not just in quantity but also in complexity, with new vulnerability types emerging across web frameworks, mobile platforms, and operating systems. However, the report notes that the end of 2025 saw a surge in severe vulnerabilities in web frameworks, which contributed to the high baseline entering Q1.
2. How did the number of critical vulnerabilities (CVSS > 8.9) change in Q1 2026 compared to previous years?
Interestingly, while overall vulnerabilities rose, the number of new critical vulnerabilities (CVSS score above 8.9) slightly decreased in Q1 2026 compared to the same period in previous years. However, the graph indicates that an upward trend remains clearly visible. The temporary dip is attributed to the fact that the end of 2025 was marked by the disclosure of several severe vulnerabilities in web frameworks. Current growth in critical issues is driven by high-profile vulnerabilities such as React2Shell, the release of exploit frameworks for mobile platforms, and the uncovering of secondary vulnerabilities during remediation of previously discovered ones. The report hypothesizes that if this pattern holds, Q2 2026 will show a significant decline similar to the previous year.
3. What role is AI playing in vulnerability discovery, and how does it affect the statistics?
According to current reports, the use of AI agents for discovering security issues is expected to reinforce the upward trend in vulnerability registrations. AI tools can automate the scanning of codebases, network configurations, and even running systems to identify potential weaknesses at a scale and speed impossible for human researchers alone. In Q1 2026, this led to a higher volume of reported vulnerabilities, including both low-severity and critical ones. The report suggests that as AI matures, the rate of discovery will continue to climb, potentially outpacing the capacity of software vendors to patch them. This dynamic is already visible in the statistics, where the number of monthly CVEs has been growing consistently. However, AI also helps defenders by enabling faster detection and prioritization of exploits.
4. Which veteran vulnerabilities were most exploited in Q1 2026?
The report highlights several veteran CVEs that consistently account for the largest share of detections. These include CVE-2018-0802 and CVE-2017-11882, both remote code execution vulnerabilities in the Equation Editor component of Microsoft Office. CVE-2017-0199, a vulnerability in Microsoft Office and WordPad that allows system control, also remained popular. Additionally, CVE-2023-38831, caused by improper handling of objects in archives, and CVE-2025-6218, which allows relative path specification leading to arbitrary command execution, were widely exploited. Another notable veteran is CVE-2025-8088, a directory traversal bypass vulnerability during file extraction using NTFS Streams. These older exploits persist because many systems remain unpatched, and they are easily integrated into exploit kits.
5. What new exploits emerged in Q1 2026, and what platforms do they target?
Among the newcomers in Q1 2026, threat actors updated their toolsets with exploits for recently registered vulnerabilities targeting the Microsoft Office platform and Windows OS components. Specific examples include exploits for high-profile issues like React2Shell, which affects web frameworks, and mobile exploit frameworks that were released during the quarter. The report also notes the discovery of secondary vulnerabilities that arose during the remediation of previously known flaws, further expanding the attack surface. These new exploits are particularly concerning because they often target zero-day or recently patched vulnerabilities, giving defenders a narrow window to respond. The exploitation statistics draw on open sources and telemetry, indicating that these new exploits are being actively used in the wild.
6. What factors contributed to the growth in critical vulnerabilities despite the slight decrease?
The slight decrease in critical vulnerabilities in Q1 2026 is deceptive; the underlying trend remains upward. The report attributes the temporary dip to the end of 2025, which saw a surge in severe vulnerabilities in web frameworks. The current growth is driven by several factors: high-profile issues like React2Shell, which garnered widespread attention; the release of exploit frameworks for mobile platforms (a relatively new vector); and the uncovering of secondary vulnerabilities during the remediation of previously discovered ones. These secondary vulnerabilities often arise when patches are incomplete or introduce new flaws. The report hypothesizes that if this pattern is correct, Q2 2026 will see a significant decline, similar to the pattern observed in the previous year, as the wave of new critical issues subsides.
7. How reliable are the exploitation statistics, and what sources are used?
The exploitation statistics presented in the report are drawn from two primary sources: open-source intelligence and the report authors' own telemetry. Open sources include public CVE databases, security blogs, and vendor advisories. Telemetry comes from the security firm's network of sensors deployed across client environments, which detect exploit attempts in real time. This dual-source approach helps cross-validate findings and reduce bias. However, the report acknowledges that telemetry may underrepresent exploitation in regions with low sensor coverage, and open sources may lag behind active attacks. Overall, the statistics provide a reliable snapshot of the most exploited vulnerabilities in Q1 2026, especially for well-known CVE entries. For newcomers, the data is more preliminary but indicative of emerging threats.