Known Exploited Vulnerabilities

Curated + enriched signals for rapid prioritization

{ } JSON RSS PRO

0.7%

actively
exploited

Focus on what’s exploited

Out of 352,641 known CVEs, only 0.7% show real-world exploitation signals.

Data from public sources (including CISA) plus private honeypots, enriched with prioritization metadata.

View stats Report a KEV

2,555

Total Known exploited

103

Added this week

938

More than CISA KEV

Search

Results update as you type.

⌘K

Added

Exploitability

Type to search. Filters apply instantly.

CVE	Severity	Title	Vendor	Product	Added
CVE-2021-26085	5.3 Medium	Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read... Malware Remote Low complexity No user interaction	Atlassian	Confluence Server, Confluence Data Center	about 4 years ago
CVE-2021-20028	9.8 Critical	Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products,... Malware Remote Low complexity No user interaction	SonicWall	SonicWall SRA/SMA100	about 4 years ago
CVE-2016-1555	9.8 Critical	(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and... Remote Low complexity No user interaction	Netgear	WN604, WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, WNDAP660	about 4 years ago
CVE-2016-7892	8.8 High	Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the TextField... Remote Low complexity	Adobe	Adobe Flash Player 23.0.0.207 and earlier, 11.2.202.644 and earlier	about 4 years ago
CVE-2016-4171	9.8 Critical	Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier allows remote attackers to execute arbitrary code via unknown vectors, as... Remote Low complexity No user interaction	Adobe	Flash Player	about 4 years ago
CVE-2016-11021	7.2 High	setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter. Remote Low complexity No user interaction	D-Link	DCS-930L	about 4 years ago
CVE-2016-10174	9.8 Critical	The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This... Remote Low complexity No user interaction	NETGEAR	WNR2000v5 router	about 4 years ago
CVE-2016-0752	7.5 High	Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x... Remote Low complexity No user interaction	Ruby on Rails	Action View	about 4 years ago
CVE-2015-4068	9.1 Critical	Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of... Remote Low complexity No user interaction	Arcserve	UDP	about 4 years ago
CVE-2015-3035	7.5 High	Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with... Remote Low complexity No user interaction	TP-LINK	Archer C5, Archer C7, Archer C8, Archer C9, TL-WDR3500, TL-WDR3600, TL-WDR4300, TL-WR740N, TL-WR741ND, TL-WR841N, TL-WR841ND	about 4 years ago
CVE-2015-1427	9.8 Critical	The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism... Remote Low complexity No user interaction	Elastic	Elasticsearch	about 4 years ago
CVE-2015-1187	9.8 Critical	The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr parameter to ping.ccp. Remote Low complexity No user interaction	D-Link	multiple devices	about 4 years ago
CVE-2015-0666	7.5 High	Directory traversal vulnerability in the fmserver servlet in Cisco Prime Data Center Network Manager (DCNM) before 7.1(1) allows remote attackers... Remote Low complexity No user interaction	Cisco	Prime Data Center Network Manager	about 4 years ago
CVE-2014-6332	8.8 High	OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows... Remote Low complexity	Microsoft	Windows	about 4 years ago
CVE-2014-6324	8.8 High	The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7... Remote Low complexity No user interaction	Microsoft	Windows	about 4 years ago
CVE-2014-6287	9.8 Critical	The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to... Remote Low complexity No user interaction	Rejetto	HTTP File Server	about 4 years ago
CVE-2014-3120	8.1 High	The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL... Remote Low complexity No user interaction	Elastic	Elasticsearch	about 4 years ago
CVE-2014-0130	7.5 High	Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before... Remote Low complexity No user interaction	Ruby on Rails	Ruby on Rails	about 4 years ago
CVE-2013-5223	5.4 Medium	Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web... Remote Low complexity	D-Link	DSL-2760U Gateway	about 4 years ago
CVE-2013-4810	9.8 Critical	HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote... Remote Low complexity No user interaction	HP	ProCurve Manager	about 4 years ago
CVE-2013-2251	9.8 Critical	Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2)... Remote Low complexity No user interaction	Apache	Struts	about 4 years ago
CVE-2012-1823	9.8 Critical	sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query... Remote Low complexity No user interaction	PHP	PHP	about 4 years ago
CVE-2010-4345	7.8 High	Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate... Low complexity No user interaction	Exim	Exim	about 4 years ago
CVE-2010-4344	9.8 Critical	Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an... Remote Low complexity No user interaction	Exim	Exim	about 4 years ago
CVE-2010-3035	7.5 High	Cisco IOS XR 3.4.0 through 3.9.1, when BGP is enabled, does not properly handle unrecognized transitive attributes, which allows remote attackers... Remote Low complexity No user interaction	Cisco	IOS XR	about 4 years ago

Displaying vulnerabilities 1826 - 1850 of 2555 in total

KEVIntel

Known Exploited Vulnerability Intelligence Beyond CISA KEV

Prioritize the vulnerabilities attackers are actually exploiting—before they impact your organization.

KEVIntel is known exploited vulnerability intelligence that aggregates, attests, enriches, and distributes exploited-CVE data. It is not a CISA KEV mirror alone. The service includes the official catalog as a baseline and extends coverage with additional exploited-CVE attestations, evidence links, enrichment, and automation-ready delivery through the live feed above, RSS, JSON, and the Pro API.

Aggregated & attested

Exploitation signals from 60+ public sources, vendor advisories, and private honeypots—validated against credible evidence.

Enriched for prioritization

Every CVE joined with EPSS, CVSS, CWE, proof-of-concept references, and Nuclei/Metasploit context.

Automation-ready delivery

Live feed, RSS, JSON, and Pro API for VM, CTI, SOC, and MSSP workflows.

The AI vulnerability tsunami is accelerating disclosure

Hundreds of thousands of CVEs exist in the National Vulnerability Database and vendor advisories, and AI-assisted discovery is accelerating that volume further. CVSS scores describe theoretical severity, but severity is not the same as exploitation. Many high-severity vulnerabilities are never exploited in the wild, while some actively exploited flaws may be under-prioritized if teams rely on CVSS-only prioritization.

Only a small fraction of published CVEs ever show real-world exploitation signals. Security teams cannot remediate everything at once. Exploitation-led prioritization focuses limited patching, detection, and analyst time on CVEs with evidence-backed exploitation—not on vulnerability noise.

Disclosed vulnerabilities Actively exploited

352,641+ and growing

Only 0.7% of disclosed CVEs show real-world exploitation signals — and that sliver is the operationally urgent work.

Focus on the signal, not the noise. KEVIntel helps you identify the vulnerabilities attackers are actually using—so vulnerability management, CTI, SOC, MSSP, and exposure-management teams can prioritize remediation on real exploitation, not scanner volume alone.

CISA KEV is essential. It is not the whole picture.

KEVIntel extends your visibility beyond CISA KEV. CISA KEV is authoritative and valuable; KEVIntel complements it with additional exploited-CVE coverage, RSS delivery, global honeypot telemetry, enrichment, and automation-ready Pro API access. See the full KEVIntel vs CISA KEV comparison.

CISA KEV

No RSS feed
Tracks vulnerabilities in CISA KEV
Curated by CISA

KEVIntel

RSS feed for real-time updates
CISA KEV plus 938+ more exploited in the wild
Independent intelligence from global honeypots, EPSS, CVSS, CWE, PoCs, and Nuclei/Metasploit context

Use CISA KEV. Go further with KEVIntel. Complete visibility, faster prioritization, stronger defenses—with exploitation timelines, source evidence, and platform statistics to back every decision.

From global telemetry to actionable intelligence

KEVIntel follows a simple pipeline: Collect, Attest, Enrich, Deliver. Each exploited CVE links to source material so analysts can verify why it was included and move from signal to action faster.

Collect

Global honeypot networks, CISA KEV, vendor advisories, cyber RSS feeds, and public reporting observe real-world exploitation attempts around the clock.
Attest

Validate exploitation with credible evidence—CISA KEV listings, advisories documenting active exploitation, honeypot observations, and defensible references—to separate signal from noise.
Enrich

Correlate each CVE with EPSS, CVSS, CWE, proof-of-concept references, Nuclei and Metasploit scanner context, online mentions, vendor metadata, and exploitation timelines.
Deliver

Actionable intelligence via this live feed, RSS, JSON, and the Pro API—ready for vulnerability management, CTI, SOC, SIEM/SOAR, MSSP, and exposure-management workflows.

Prioritize what matters

Reduce false positives

Strengthen defenses

Stay ahead of attackers