KEV Compare

Compare Known Exploited Vulnerabilities catalogs across publishers (CISA, ENISA, CIRCL, and future sources). Explore overlap, unique coverage, and who listed a vulnerability first.

Unique vuln IDs (union)
1,531
Sources
3
Avg sources per vuln
1.02
Top overlap
CISA & ENISA
18 shared (1.2% Jaccard)

KEVs added (cumulative by month)

3 sources
Loading chart...

Coverage overview

CISA
1,526 KEVs
1,505
Exclusive: 1,505 Shared: 21
ENISA
23 KEVs
Exclusive: 4 Shared: 19
CIRCL
5 KEVs
Exclusive: 0 Shared: 5

Sources

3 total
CISA
2021-11-031,52629.351,50521
ENISA
2025-01-17231.77419
CIRCL
2025-01-0150.3605
First KEV: earliest date_added for that source.
Avg/mo: average new KEVs per month (from first KEV month to latest).
Only here: listed by that source only. Shared: also in at least one other source.

Pairwise overlap

Coverage
CISAvsENISA
18
1.2%
CISA:1.2%
ENISA:78.3%
CISA:17
ENISA:0
Tie:1
CIRCLvsCISA
4
0.3%
CIRCL:80.0%
CISA:0.3%
CIRCL:0
CISA:2
Tie:2
CIRCLvsENISA
2
7.7%
CIRCL:40.0%
ENISA:8.7%
CIRCL:0
ENISA:2
Jaccard: shared / (A + B - shared) (similarity).
Coverage: % of source's KEVs that are shared with the other.
Listed first: among shared CVEs, how many each source listed before the other.

What are Known Exploited Vulnerabilities (KEV) catalogs?

Known Exploited Vulnerabilities (KEV) catalogs are curated lists of CVEs that have been observed being actively exploited in the wild. Unlike the full NVD database, which contains over 250,000 vulnerabilities, KEV catalogs focus exclusively on threats that pose a real, demonstrated risk to organizations. This makes them essential for vulnerability prioritization and patch management.

Who publishes KEV catalogs?

Several organizations maintain their own KEV catalogs, each with different criteria, geographic focus, and update cadence:

  • CISA (Cybersecurity and Infrastructure Security Agency) — the original and most widely adopted KEV catalog, mandated for US federal agencies under BOD 22-01.
  • ENISA (European Union Agency for Cybersecurity) — the EU equivalent, contributing a European perspective on actively exploited vulnerabilities.
  • CIRCL (Computer Incident Response Center Luxembourg) — a CERT-based catalog with a focus on European and international threat intelligence.

Why compare KEV catalogs?

No single catalog captures every actively exploited vulnerability. Each publisher has different intelligence sources, geographic priorities, and inclusion criteria. By comparing catalogs side-by-side, security teams can identify coverage gaps, discover which source lists a CVE first, and build a more comprehensive view of the threat landscape. The overlap analysis (Jaccard similarity and pairwise coverage) quantifies how much agreement exists between publishers, while the "listed first" metric reveals which source tends to react fastest to emerging threats.

How is this data computed?

CveMate aggregates KEV entries from all supported publishers into a unified graph database. Each vulnerability is linked to every catalog that lists it, along with the date it was added. Statistics such as exclusive counts, overlap intersections, Jaccard similarity scores, and first-lister analysis are computed in real time from this unified dataset. The cumulative chart tracks how each catalog has grown over time, providing a historical view of their respective coverage trajectories.