New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025

Security engineer Jerry Gamblin, founder of RogoLabs, has released a new open source forecasting tool that aims to predict the growing volume of software vulnerability disclosures. The tool, CVEForecast.org, uses historical CVE data and machine learning models to generate short-term projections of how many new vulnerabilities are likely to be published.

Inspired by community efforts like vuln4cast and quarterly vulnerability reports from FIRST.org, Gamblin built the tool over a long weekend as a personal project. He is inviting feedback from security professionals to help improve its accuracy and usability.

“This was a passion project, and it's my first step in this area,” Gamblin wrote on LInkedIn. “I'm eager for the community's feedback to make it better.”

Forecast: 46,886 CVEs in 2025#

CVEForecast predicts that 2025 will end with 46,886 published CVEs. That figure would represent the highest number of CVEs recorded in a single year, continuing an upward trend in disclosure volume. The forecast combines published data through June 2025 with projections for the second half of the year, using XGBoost as its most accurate model.

According to the tool:

• 23,291 CVEs were published from January through June
• July is forecast to bring in 3,809 additional CVEs
• The rest of the year is expected to maintain a steady monthly rate of approximately 3,800 disclosures

This would result in a 37 percent increase over the estimated 34,000 CVEs disclosed in 2024, and a near doubling of the number disclosed in 2022.

Forecasting Model Performance

CVEForecast evaluates 20 different forecasting models using a dataset of over 285,000 CVEs published between September 1999 and July 2025. XGBoost ranks highest for forecast accuracy, with a Mean Absolute Error of 196 CVEs and a Mean Absolute Percentage Error of 4.8 percent. Other high-performing models include CatBoost, NHiTS, and KalmanFilter, though all had slightly higher error rates.

Model predictions for the first half of 2025 were close to observed data. For example, the forecast for February was off by just 33 CVEs, and June came within 28. The January prediction showed the highest deviation, missing by 466 CVEs.

CVE Growth Shows No Signs of Slowing#

While the current public forecast ends in January 2026, the projected trend suggests that annual CVE volumes could surpass 50,000 within the next year. The model shows no sign of seasonal dips or slowdown in disclosure activity.

If current patterns hold, the growth of CVE disclosures will continue to strain vulnerability triage processes, patch management, and risk scoring systems across the industry. Tools that help prioritize based on reachability or exploitability will become increasingly essential to avoid being overwhelmed by the volume.

Gamblin has positioned CVEForecast as a starting point for deeper exploration of these trends. With a transparent methodology and a community-driven roadmap, the tool offers a new way to anticipate the scale of the software vulnerability landscape.