In the first quarter of 2026, the cybersecurity landscape witnessed a significant evolution in exploit kits, with attackers integrating novel vulnerabilities targeting Microsoft Office, Windows, and Linux systems. This Q&A explores the key findings from vulnerability registration statistics, critical flaw trends, and the exploitation patterns observed during this period. We analyze both persistent, older vulnerabilities that dominated detections and newly emerged exploits that reshaped threat actor toolkits.
What were the notable trends in vulnerability registration during Q1 2026?
The overall number of registered Common Vulnerabilities and Exposures (CVEs) continued its upward trajectory in Q1 2026, extending a pattern observed since January 2022. This growth is partly attributed to the increasing use of AI agents for discovering security issues, which is expected to further accelerate the identification of vulnerabilities. The data, sourced from cve.org, shows a monthly increase in total CVEs, indicating that the attack surface is expanding. While the sheer volume rose, the proportion of critical vulnerabilities (CVSS score above 8.9) saw a slight decrease compared to previous years, yet an underlying rise remained evident. Researchers note that the end of 2025 saw the disclosure of several severe flaws in web frameworks, which contributed to the current numbers. This trend suggests that both automated discovery tools and manual research are keeping the vulnerability pipeline active, making patch management more challenging for organizations.
How did the volume of critical vulnerabilities change in Q1 2026 compared to earlier periods?
The number of newly published critical vulnerabilities (CVSS > 8.9) in Q1 2026 slightly decreased relative to the same quarter in prior years, but an upward trend was still clearly visible. This apparent contradiction is explained by the timing of high-profile disclosures: several severe web framework vulnerabilities were released at the tail end of 2025, inflating the previous quarter's numbers. In Q1 2026, the growth is driven by prominent issues such as the React2Shell exploit, the release of exploit frameworks for mobile platforms, and the uncovering of secondary vulnerabilities during the remediation of previously known flaws. Researchers hypothesize that if this pattern mirrors that of the prior year, the second quarter of 2026 will show a significant decline in critical vulnerabilities. This hypothesis will be tested as more data becomes available, offering insights into whether the current surge is a temporary spike or a sustained shift in discovery dynamics.
Which veteran vulnerabilities continued to be most exploited in Q1 2026?
Despite the arrival of new exploits, several older vulnerabilities remained dominant in detection counts during Q1 2026. These include:
- CVE-2018-0802 – a remote code execution (RCE) flaw in Microsoft Office's Equation Editor.
- CVE-2017-11882 – another RCE vulnerability in the same Equation Editor component.
- CVE-2017-0199 – a vulnerability in Microsoft Office and WordPad allowing system control.
- CVE-2023-38831 – improper handling of objects within archives.
- CVE-2025-6218 – relative path specification enabling arbitrary file extraction leading to malicious command execution.
- CVE-2025-8088 – a directory traversal bypass during file extraction using NTFS Streams.
These enduring vulnerabilities highlight the persistent risk of unpatched systems, as threat actors continuously leverage proven entry points even years after initial disclosure.
What new exploits emerged in Q1 2026?
During the first quarter of 2026, threat actor toolkits were updated with exploits targeting recently registered vulnerabilities. Notably, new exploits were observed for the Microsoft Office platform and Windows OS components. While specific CVE identifiers for these newcomers were not detailed in the report, they represent a shift in attacker focus toward fresher weaknesses. Additionally, the React2Shell vulnerability became a prominent target, alongside mobile platform exploit frameworks that were released during this period. The emergence of these new exploits signals that cybercriminals are actively incorporating recently disclosed flaws into their arsenals, often before organizations can apply patches. This underscores the importance of rapid threat intelligence and proactive defense measures to mitigate exposure to zero-day and n-day attacks.
How are AI agents expected to influence vulnerability discovery?
According to the report, the use of AI agents for discovering security issues is expected to further reinforce the upward trend in vulnerability registrations. These automated systems can analyze codebases, detect patterns, and identify potential flaws at a scale and speed far beyond human manual review. While this accelerates the discovery of vulnerabilities, it also means that attackers may similarly leverage AI to find new exploits. The dual-use nature of AI in cybersecurity presents both opportunities and challenges. For defenders, AI-driven discovery helps in proactive patching and risk assessment. For attackers, it can reduce the time between a vulnerability's disclosure and its exploitation. The coming quarters will likely see an increase in both the volume and velocity of vulnerability disclosures, making AI an integral part of the security landscape.
What hypothesis did researchers propose regarding the trend in critical vulnerabilities?
Researchers proposed that the current growth in critical vulnerabilities during Q1 2026 is largely driven by a cluster of high-profile disclosures, including React2Shell, mobile exploit frameworks, and secondary vulnerabilities uncovered during the fixing of earlier flaws. They hypothesize that if this pattern follows the one observed in the previous year, the second quarter of 2026 will show a significant decline in critical vulnerability counts. This expectation is based on historical data where a spike in high-severity issues was followed by a quieter period as the backlog of discovered flaws is exhausted. The validity of this hypothesis will be tested in Q2 2026; if correct, it would indicate that the current surge is a temporary phenomenon rather than a long-term trend. This insight helps organizations plan their resource allocation for patch management and vulnerability response.
Which platforms were primarily targeted by updated exploit kits?
In Q1 2026, exploit kits leveraged by threat actors expanded to incorporate new exploits for the Microsoft Office platform, as well as Windows and Linux operating systems. These platforms remain the primary targets due to their widespread deployment in both enterprise and consumer environments. The Office suite, in particular, continues to be a favored vector because of its deep integration into business workflows and the complexity of its components, such as Equation Editor. Meanwhile, Windows and Linux systems are targeted for their critical roles in servers, desktops, and cloud infrastructure. The update to exploit kits with recent vulnerabilities indicates that attackers are actively weaponizing newly discovered flaws, increasing the pressure on security teams to prioritize patching across these core platforms.