Q1 2026 Exploit Trends: Key Vulnerabilities and Attack Vectors

The first quarter of 2026 saw threat actors expand their exploit kits with new weapons targeting Microsoft Office, Windows, and Linux. This report dissects the latest vulnerability statistics and exploitation patterns, revealing both persistent legacy flaws and emerging critical issues like React2Shell. Below, we answer the most pressing questions about the evolving threat landscape.

1. How did exploit kits evolve in Q1 2026?

In Q1 2026, exploit kits expanded significantly, integrating fresh exploits for the Microsoft Office platform and both Windows and Linux operating systems. This allowed attackers to target a wider range of users with automated attacks. The new exploits complemented existing veteran vulnerabilities, making it easier for threat actors to compromise systems through common vectors like malicious Office documents or drive-by downloads.

Q1 2026 Exploit Trends: Key Vulnerabilities and Attack Vectors — Source: securelist.com

2. What was the overall trend in registered vulnerabilities from 2022 to Q1 2026?

According to data from cve.org, the total number of published vulnerabilities has steadily increased since January 2022. This upward trend is expected to accelerate with the growing use of AI agents to discover security issues. By Q1 2026, the monthly CVE count remained high, reflecting the persistent discovery of new flaws across software and hardware ecosystems.

3. How did critical vulnerability numbers change in Q1 2026?

Critical vulnerabilities (CVSS > 8.9) showed a slight dip compared to previous years, but the overall upward trend continued. This was driven by high-profile issues like React2Shell, the release of mobile exploit frameworks, and secondary vulnerabilities uncovered during patch cycles. Analysts hypothesize that if this pattern holds, Q2 2026 may see a significant decline similar to the previous year's cycle, though confirmation awaits Q2 data.

4. Which veteran vulnerabilities remained most exploited?

Several older vulnerabilities consistently accounted for the largest share of detections in Q1 2026. These include CVE-2018-0802 and CVE-2017-11882, both remote code execution flaws in Microsoft Office's Equation Editor; CVE-2017-0199 targeting Office and WordPad; CVE-2023-38831 related to improper archive handling; CVE-2025-6218 allowing relative path extraction; and CVE-2025-8088, a directory traversal bypass using NTFS streams. Their persistence highlights the challenge of patching legacy software.

5. What new exploits were observed targeting Microsoft Office and Windows?

Among the newcomers, security researchers observed exploits targeting the Microsoft Office platform and components of the Windows operating system. These new vulnerabilities were quickly integrated into exploit kits, enabling attackers to launch fresh attacks against unpatched systems. The specific CVEs were not detailed in the report but represent active risks for organizations using these platforms.

6. How is AI expected to influence vulnerability discovery?

The use of AI agents to automatically find security issues is predicted to further accelerate the already rising volume of registered vulnerabilities. AI-powered tools can analyze codebases and system behaviors at scale, uncovering flaws that manual testing might miss. This could lead to a surge in CVE registrations in coming quarters, placing additional pressure on defenders to prioritize patching.

7. What factors drove the increase in critical vulnerabilities despite a slight decline?

The slight decrease in critical vulnerabilities compared to prior years was offset by major disclosures such as React2Shell, a severe web framework issue, and new mobile exploit frameworks. Additionally, fixing one vulnerability often revealed secondary flaws, contributing to the count. This pattern suggests that critical vulnerability trends are influenced by periodic high-impact disclosures rather than a steady rate.