Skip to main content
The Known Exploited Vulnerabilities Catalog published by CISA is an authoritative list of vulnerabilities that have been exploited in the wild. All the vulnerabilities on this list should be prioritized as top threats. CISA KEV currently includes around 1300 vulnerabilities, most of which are vendor specific. Surprisingly, even older vulnerabilities can land the list long after their original publication date. For example, CVE-2022-2586, first published in August 2022, was only added to the CISA KEV list in June 2024.

Exploitability label

In Minimus, vulnerabilities on the CISA KEV catalog are labeled as active exploits.

Remediation due dates

Federal agencies are required to patch vulnerabilities that appear in the CISA KEV list within a certain time frame. The due date is published for every vulnerability on the list. Generally, everyone is encouraged to follow the same due dates, even if not required by law.
Last modified on March 23, 2026