High-Risk Vulnerabilities Spike 36% Year-Over-Year as Critical Security Debt Surges 20%, Signaling a Growing Crisis in Software Security
Veracode, the global leader in application risk management, today released its 2026 State of Software Security Report, revealing the widening gap between how fast organizations build software and how fast they can secure it. The report found 82 percent of organizations now harbor security debt—an 11 percent increase from the prior year—and that 60 percent of those organizations have security debt defined as “critical,” representing accumulated vulnerabilities severe enough to cause catastrophic damage to an organization if exploited. The report recommends adopting a “Protect, Prioritize, and Prove” strategy to meaningfully reduce risk in 2026 and beyond.
Now in its 16th annual edition, Veracode’s flagship report analyzed 1.6 million unique applications spanning enterprises, commercial software suppliers, software outsourcers, and open-source projects worldwide.
The 2026 findings expose a fundamental mismatch between development velocity and remediation capacity. While detection capabilities have improved, the backlog of unresolved vulnerabilities is growing faster than teams can eliminate it. This trend is exacerbated by a 36 percent year-over-year spike in high-risk vulnerabilities, categorized as flaws that are both severe and highly exploitable.
“The speed of software development has skyrocketed, meaning the pace of flaw creation is outstripping the current capacity for remediation,” said Chris Wysopal, Chief Security Evangelist at Veracode. “Despite marginal gains in fix rates, security debt is becoming a much larger issue for many organizations. Now that AI has taken software development velocity to an unprecedented level, enterprises must ensure they’re making deliberate, intelligent choices to stem the tide of flaws and minimize their risk.”
Key Takeaways from the 2026 State of Software Security Report
This year’s study establishes the primary themes shaping software security maturity in a world where AI-driven development, expanding attack surfaces, and faster release cycles collide with remediation capacity.
- Critical Security Debt Intensifies: The 20 percent year-over-year increase in critical security debt suggests the accumulation of risky vulnerabilities older than a year is outpacing remediation capacity, signaling an urgent need to rethink how backlogs are managed.
- High-Risk Vulnerabilities Demand a New Kind of Prioritization: A 36 percent relative increase in flaws classed as both “severe” and “highly exploitable” demands an urgent shift from generic severity scoring to prioritization based on real-world attack potential.
- Detection is Improving Modestly; Remediation is Not: While organizations are successfully finding fewer flaws and improving detection rates, the data reveals a persistent strain to fix them quickly enough to close the widening exposure window.
- Open-source Components Carry Outsized Risk: Third-party libraries and open-source dependencies account for 66 percent of the most dangerous, longest-lived vulnerabilities—a reminder that third-party hygiene still has a long way to go despite signs of improvement.
- The AI Impact: AI development is introducing new high-risk vulnerability patterns at scale, while AI-powered remediation is beginning to offer a credible path toward closing the gap.
Actionable Insights and Recommendations
To combat these risks, Veracode advocates a shift from simple detection toward a more strategic framework of Prioritize, Protect, and Prove. This approach enables organizations to prioritize their “crown jewels”—the most valuable systems and applications that hold sensitive data, deliver core services or impact overall operations.
“We are at an inflection point where running faster on the treadmill of vulnerability management is no longer a viable strategy,” Wysopal closed. “Success requires a deliberate shift. Teams must prioritize the 11.3 percent of flaws that pose real-world danger, protect their critical assets through automated remediation, and prove that their security posture meets the rigorous demands of modern compliance. It is not about fixing everything; it is about managing security debt by minimizing its most consequential risks.”
Veracode’s annual State of Software Security Report is one of the industry’s longest running and most comprehensive views of the application risk management landscape.
The full 2026 report is available on the Veracode website. Join the webinar on February 26 at 11am Eastern Time to hear from the authors of this year’s report and get an in-depth analysis of the key findings.