CISA KEV severity spike

CISA’s list of software flaws already used in real attacks keeps filling with severe bugs, not just isolated one-offs. (cisa.gov) The Known Exploited Vulnerabilities catalog is CISA’s running list of Common Vulnerabilities and Exposures, or CVEs, with reliable evidence that attackers used them against public or private organizations. The catalog showed 1,569 entries on April 20, 2026. (cisa.gov) CISA added seven new entries on April 13, 2026, including flaws in Microsoft Exchange Server, Microsoft Windows, Adobe Acrobat and Reader, and Fortinet FortiClientEMS. It added two more on April 14, including one in Microsoft SharePoint Server and one in Microsoft Office dating back to 2009. (cisa.gov, cisa.gov) Another five entries landed on March 20, 2026, spanning Apple products, Craft CMS, and Laravel Livewire. That mix shows the catalog is not concentrated in one vendor or one kind of software. (cisa.gov) The catalog exists because CISA’s Binding Operational Directive 22-01, issued on November 3, 2021, requires federal civilian executive branch agencies to fix listed vulnerabilities by set deadlines. CISA says the directive covers software and hardware on agency systems, including systems hosted by third parties on an agency’s behalf. (cisa.gov) CISA says the point of the catalog is prioritization, not exhaustive patching of every published flaw at once. The agency tells organizations to use KEV as an input to vulnerability management because the listed bugs are “causing immediate harm based on adversary activity.” (cisa.gov) Severity scores help explain why many of these additions draw attention, but they do not tell the whole story. The National Vulnerability Database says the Common Vulnerability Scoring System, or CVSS, measures technical severity and “is not a measure of risk.” (nvd.nist.gov) Some recent KEV additions still carry very high technical scores. NIST’s database lists Fortinet’s CVE-2026-21643 as an unauthenticated SQL injection bug that can lead to unauthorized code or command execution, and its CVSS v3.1 vector corresponds to a 9.8 score. (nvd.nist.gov, nvd.nist.gov) Other entries illustrate a second problem: old bugs do not disappear when vendors move on. CISA added CVE-2009-0238 to KEV on April 14, 2026, showing that attackers still find value in long-known weaknesses when organizations leave aging software in place. (cisa.gov, cisa.gov) Security teams often pair KEV with probability models that estimate what gets exploited next. FIRST’s Exploit Prediction Scoring System, or EPSS, estimates the probability that a published CVE will be exploited in the next 30 days, giving defenders a second filter alongside KEV and CVSS. (first.org) The operational problem is inventory before patching: an organization cannot remediate a KEV entry if it does not know where the affected product is running. CISA says all organizations, not only federal agencies, should prioritize timely remediation of KEV-listed flaws as part of routine vulnerability management. (cisa.gov, cisa.gov)