Known Exploited Vulnerabilities

Curated + enriched signals for rapid prioritization

{ } JSON RSS PRO

0.7%

actively
exploited

Focus on what’s exploited

Out of 352,641 known CVEs, only 0.7% show real-world exploitation signals.

Data from public sources (including CISA) plus private honeypots, enriched with prioritization metadata.

View stats Report a KEV

2,555

Total Known exploited

103

Added this week

938

More than CISA KEV

Search

Results update as you type.

⌘K

Added

Exploitability

Type to search. Filters apply instantly.

CVE	Severity	Title	Vendor	Product	Added
CVE-2025-43510	7.8 High	A memory corruption issue was addressed with improved lock state checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS... 1 day faster than CISA KEV Low complexity	Apple	iOS and iPadOS, macOS, tvOS, visionOS, watchOS	10 days ago
CVE-2025-32432	10.0 Critical	Craft CMS Allows Remote Code Execution 1 day faster than CISA KEV Remote Low complexity No user interaction	craftcms	cms	10 days ago
CVE-2026-20131	10.0 Critical	Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability 1 day faster than CISA KEV Malware Remote Low complexity No user interaction	Cisco	Cisco Secure Firewall Management Center (FMC)	10 days ago
CVE-2026-20963	9.8 Critical	Microsoft SharePoint Remote Code Execution Vulnerability 1 day faster than CISA KEV Remote Low complexity No user interaction	Microsoft	Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition	10 days ago
CVE-2025-66376	7.2 High	Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import... 1 day faster than CISA KEV Remote Low complexity No user interaction	Zimbra	Collaboration	10 days ago
CVE-2025-47813	4.3 Medium	loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie. 1 day faster than CISA KEV Remote Low complexity No user interaction	wftpserver	Wing FTP Server	10 days ago
CVE-2026-3910	8.8 High	Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via... 1 day faster than CISA KEV Remote Low complexity	Google	Chrome	10 days ago
CVE-2026-3909	8.8 High	Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted... 1 day faster than CISA KEV Remote Low complexity	Google	Chrome	10 days ago
CVE-2026-20118	6.8 Medium	Cisco IOS-XR NCS 5500 and NCS 5700 Egress Packet Network Interfaces Aligner Interrupt Denial of Service Vulnerability Remote No user interaction	Cisco	Cisco IOS XR Software	10 days ago
CVE-2025-68613	9.9 Critical	n8n Vulnerable to Remote Code Execution via Expression Injection 1 day faster than CISA KEV Remote Low complexity No user interaction	n8n-io	n8n	10 days ago
CVE-2026-1603	8.6 High	An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored... 1 day faster than CISA KEV Remote Low complexity No user interaction	Ivanti	Endpoint Manager	10 days ago
CVE-2025-26399	9.8 Critical	SolarWinds Web Help Desk Deserialization of Untrusted Data Privilege Escalation Vulnerability 1 day faster than CISA KEV Remote Low complexity No user interaction	SolarWinds	Web Help Desk	10 days ago
CVE-2021-22054	7.5 High	VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37... 1 day faster than CISA KEV Remote Low complexity No user interaction	VMware	Workspace ONE UEM	10 days ago
CVE-2023-41974	7.8 High	A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, iOS 15.8.7 and iPadOS 15.8.7. An... 1 day faster than CISA KEV Low complexity	Apple	iOS and iPadOS	10 days ago
CVE-2021-30952	7.8 High	An integer overflow was addressed with improved input validation. This issue is fixed in tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and... 1 day faster than CISA KEV Low complexity	Apple	watchOS, iOS and iPadOS, macOS	10 days ago
CVE-2021-22681	9.8 Critical	Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers... 1 day faster than CISA KEV Remote Low complexity No user interaction	Rockwell Automation	Studio 5000 Logix Designer, RSLogix 5000	10 days ago
CVE-2017-7921	9.8 Critical	An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series... 1 day faster than CISA KEV Remote Low complexity No user interaction	Hikvision	DS-2CD2xx2F-I Series, DS-2CD2xx0F-I Series, DS-2CD2xx2FWD Series, DS-2CD4x2xFWD Series, DS-2CD4xx5 Series, DS-2DFx Series, DS-2CD63xx Series	10 days ago
CVE-2026-22719	8.1 High	VMware Aria Operations command injection vulnerability 1 day faster than CISA KEV Remote No user interaction	VMware	VMware Aria Operations, VMware Cloud Foundation Operations, Telco Cloud Platform, Telco Cloud Infrastructure	10 days ago
CVE-2026-21385	7.8 High	Integer Overflow or Wraparound in Graphics 1 day faster than CISA KEV Low complexity No user interaction	Qualcomm, Inc.	Snapdragon	10 days ago
CVE-2026-20127	10.0 Critical	Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability 1 day faster than CISA KEV Remote Low complexity No user interaction	Cisco	Cisco Catalyst SD-WAN Manager	10 days ago
CVE-2026-20051	7.4 High	Cisco Nexus 3600-R and 9500-R Series Switching Platforms Layer 2 Loop Denial of Service Vulnerability Low complexity No user interaction	Cisco	Cisco NX-OS Software	10 days ago
CVE-2022-20775	7.8 High	Cisco SD-WAN Software Privilege Escalation Vulnerability 1 day faster than CISA KEV Low complexity No user interaction	Cisco	Cisco Catalyst SD-WAN, Cisco Catalyst SD-WAN Manager, Cisco SD-WAN vContainer, Cisco SD-WAN vEdge Cloud, Cisco SD-WAN vEdge Router	10 days ago
CVE-2026-25108	8.7 High	FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially... 1 day faster than CISA KEV Remote Low complexity No user interaction	Soliton Systems K.K.	FileZen	10 days ago
CVE-2025-68461	7.2 High	Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. 1 day faster than CISA KEV Remote Low complexity No user interaction	Roundcube	Webmail	10 days ago
CVE-2025-49113	9.9 Critical	Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is... 1 day faster than CISA KEV Remote Low complexity No user interaction	Roundcube	Webmail	10 days ago

Displaying vulnerabilities 101 - 125 of 2555 in total

KEVIntel

Known Exploited Vulnerability Intelligence Beyond CISA KEV

Prioritize the vulnerabilities attackers are actually exploiting—before they impact your organization.

KEVIntel is known exploited vulnerability intelligence that aggregates, attests, enriches, and distributes exploited-CVE data. It is not a CISA KEV mirror alone. The service includes the official catalog as a baseline and extends coverage with additional exploited-CVE attestations, evidence links, enrichment, and automation-ready delivery through the live feed above, RSS, JSON, and the Pro API.

Aggregated & attested

Exploitation signals from 60+ public sources, vendor advisories, and private honeypots—validated against credible evidence.

Enriched for prioritization

Every CVE joined with EPSS, CVSS, CWE, proof-of-concept references, and Nuclei/Metasploit context.

Automation-ready delivery

Live feed, RSS, JSON, and Pro API for VM, CTI, SOC, and MSSP workflows.

The AI vulnerability tsunami is accelerating disclosure

Hundreds of thousands of CVEs exist in the National Vulnerability Database and vendor advisories, and AI-assisted discovery is accelerating that volume further. CVSS scores describe theoretical severity, but severity is not the same as exploitation. Many high-severity vulnerabilities are never exploited in the wild, while some actively exploited flaws may be under-prioritized if teams rely on CVSS-only prioritization.

Only a small fraction of published CVEs ever show real-world exploitation signals. Security teams cannot remediate everything at once. Exploitation-led prioritization focuses limited patching, detection, and analyst time on CVEs with evidence-backed exploitation—not on vulnerability noise.

Disclosed vulnerabilities Actively exploited

352,641+ and growing

Only 0.7% of disclosed CVEs show real-world exploitation signals — and that sliver is the operationally urgent work.

Focus on the signal, not the noise. KEVIntel helps you identify the vulnerabilities attackers are actually using—so vulnerability management, CTI, SOC, MSSP, and exposure-management teams can prioritize remediation on real exploitation, not scanner volume alone.

CISA KEV is essential. It is not the whole picture.

KEVIntel extends your visibility beyond CISA KEV. CISA KEV is authoritative and valuable; KEVIntel complements it with additional exploited-CVE coverage, RSS delivery, global honeypot telemetry, enrichment, and automation-ready Pro API access. See the full KEVIntel vs CISA KEV comparison.

CISA KEV

No RSS feed
Tracks vulnerabilities in CISA KEV
Curated by CISA

KEVIntel

RSS feed for real-time updates
CISA KEV plus 938+ more exploited in the wild
Independent intelligence from global honeypots, EPSS, CVSS, CWE, PoCs, and Nuclei/Metasploit context

Use CISA KEV. Go further with KEVIntel. Complete visibility, faster prioritization, stronger defenses—with exploitation timelines, source evidence, and platform statistics to back every decision.

From global telemetry to actionable intelligence

KEVIntel follows a simple pipeline: Collect, Attest, Enrich, Deliver. Each exploited CVE links to source material so analysts can verify why it was included and move from signal to action faster.

Collect

Global honeypot networks, CISA KEV, vendor advisories, cyber RSS feeds, and public reporting observe real-world exploitation attempts around the clock.
Attest

Validate exploitation with credible evidence—CISA KEV listings, advisories documenting active exploitation, honeypot observations, and defensible references—to separate signal from noise.
Enrich

Correlate each CVE with EPSS, CVSS, CWE, proof-of-concept references, Nuclei and Metasploit scanner context, online mentions, vendor metadata, and exploitation timelines.
Deliver

Actionable intelligence via this live feed, RSS, JSON, and the Pro API—ready for vulnerability management, CTI, SOC, SIEM/SOAR, MSSP, and exposure-management workflows.

Prioritize what matters

Reduce false positives

Strengthen defenses

Stay ahead of attackers