High‑Risk Vulnerabilities Surge, Deepening Security Debt for IT Teams

As software teams accelerate delivery in the AI era, security vulnerabilities are expanding at an even greater pace. The 2026 State of Software Security report reveals a sharp rise in high-risk flaws and growing security debt.

According to the new report from Veracode, security debt has risen sharply, with 82% of organizations now affected, up from 74%, and 60% facing critical long‑standing flaws, which marks a 20% year‑over‑year increase. Nearly half of all applications (49%) still carry year‑old vulnerabilities, which emphasizes how remediation capacity continues to lag behind the accelerating pace of development. This report highlights that growing application complexity, along with the increasing use of AI‑generated and third‑party code, is widening the gap between discovering vulnerabilities and fixing them.

Surge in high‑risk, highly exploitable vulnerabilities

This report also highlights a 36% rise in high-risk vulnerabilities, which are both severe and easily exploitable. This surge stems from several factors, including insecure patterns introduced by AI-assisted coding, the rapid expansion of modern attack surfaces (such as APIs, microservices, and cloud-native architectures), and the ongoing tendency for remediation efforts to overlook the most critical flaws.

Additionally, organizations are finding flaws more efficiently, but the remediation timelines remain slow. This report shows remediation practices haven’t scaled to match the rising volume and severity of vulnerabilities.

“The speed of software development has skyrocketed, meaning the pace of flaw creation is outstripping the current capacity for remediation,” said Chris Wysopal, chief security evangelist at Veracode. “Despite marginal gains in fix rates, security debt is becoming a much larger issue for many organizations.”

Third‑party (open-source) code still drives most critical debt

Despite some improvement, third-party code continues to pose the greatest high-impact security risk, accounting for 66% of all critical security debt. While the proportion of applications with open‑source vulnerabilities dropped from 70% to 62%, these components remain a major source of long‑lived flaws, particularly because third‑party issues take far longer to remediate, with a half‑life of 358 days.

AI’s ‘Double-Edged’ effect on Software security

Veracode’s study also found that AI plays a dual role in modern software security, which acts as both a significant risk factor and a powerful enabler. On the risk side, AI‑generated code can introduce new vulnerability patterns, expose systems to adversarial attacks or AI‑assisted exploitation, and add layers of complexity that reduce visibility into potential weaknesses.

Similarly, AI also offers various benefits, including automated detection and remediation, quicker identification of an organization’s most critical “crown jewel” applications, and a reduction in manual workload through AI‑assisted fixes. This report stresses the importance of strong governance, human oversight, and validation of AI‑generated outputs to ensure that AI strengthens rather than weakens the overall security posture.

Strategic recommendations to reduce security debt

Organizations are encouraged to adopt a more strategic and prioritized approach to security by focusing on the vulnerabilities that matter most, while leveraging AI‑assisted tools to boost remediation capacity and streamline the elimination of routine flaws. This report recommends strengthening supply chain defenses through tighter dependency management and package‑manager controls, shifting remediation earlier into development workflows. It’s also advised to embed security responsibilities into team processes through training, improved tooling, and clearer accountability structures.

Lastly, Veracode’s report emphasizes treating remediation capacity as a critical investment area and urges leaders to make security debt a measurable KPI to ensure consistent progress across the organization.