KEV Compare
Compare Known Exploited Vulnerabilities catalogs across publishers (CISA, ENISA, CIRCL, and future sources). Explore overlap, unique coverage, and who listed a vulnerability first.
KEVs added (cumulative)
Coverage overview
KEV catalogs tracked by CveMate
| Catalog | Publisher | KEVs | Avg/mo | Exclusive | Shared | Since | Scope |
|---|---|---|---|---|---|---|---|
CISA | Cybersecurity and Infrastructure Security Agency (US) | 1,601 | 29.11 | 1,571 | 30 | 2021-11-03 | US federal / global |
ENISA | European Union Agency for Cybersecurity (EU) | 26 | — | 4 | 22 | — | EU member states |
CIRCL | Computer Incident Response Center Luxembourg | 12 | 0.71 | 2 | 10 | 2025-01-01 | EU / international |
| Union (all catalogs) | 1,607 | ||||||
Pairwise overlap
| Coverage | ||||
|---|---|---|---|---|
CISAvsENISA | 22 | 1.4% | CISA:1.4% ENISA:84.6% | — |
CIRCLvsCISA | 10 | 0.6% | CIRCL:83.3% CISA:0.6% | CIRCL:1 CISA:6 Tie:3 |
CIRCLvsENISA | 2 | 5.6% | CIRCL:16.7% ENISA:7.7% | — |
Latest 50 vulnerabilities added to KEV catalogs
| Vuln ID | Severity | Vendor / Product | Fix | CVE Published | KEV Sources | KEV Added |
|---|---|---|---|---|---|---|
| CVE-2026-34926 | 6.7 MEDIUM | trend micro, inc./trendai apex one | — | 2026-05-21 | CISA | 2026-05-21 |
| CVE-2025-34291 | 9.4 CRITICAL | langflow/langflow | — | 2025-12-05 | CISA | 2026-05-21 |
| CVE-2009-1537 | 9.3 HIGH | Microsoft/DirectX | — | 2009-05-29 | CISA | 2026-05-20 |
| CVE-2010-0249 | 9.3 HIGH | Microsoft/Internet Explorer | — | 2010-01-15 | CISA | 2026-05-20 |
| CVE-2010-0806 | 9.3 HIGH | Microsoft/Internet Explorer | — | 2010-03-10 | CISA | 2026-05-20 |
| CVE-2026-41091 | 7.8 HIGH | Microsoft/Malware Protection Engine | — | 2026-05-20 | CISA | 2026-05-20 |
| CVE-2008-4250 | 10 HIGH | microsoft/windows_2000 | — | 2008-10-23 | CISA | 2026-05-20 |
| CVE-2026-45498 | 7.5 HIGH | microsoft/defender_antimalware_platform | — | 2026-05-20 | CISA | 2026-05-20 |
| CVE-2009-3459 | 9.3 HIGH | Adobe/Acrobat | — | 2009-10-13 | CISA | 2026-05-20 |
| CVE-2026-42897 | 8.1 HIGH | Microsoft/Exchange Server | — | 2026-05-14 | CISA | 2026-05-15 |
| CVE-2026-20182 | 10 CRITICAL | Cisco/Catalyst SD-WAN Manager | — | 2026-05-14 | CISA | 2026-05-14 |
| CVE-2026-42208 | 9.8 CRITICAL | berriai/litellm | — | 2026-05-08 | CISA | 2026-05-08 |
| CVE-2026-6973 | 7.2 HIGH | Ivanti/Endpoint Manager Mobile | — | 2026-05-07 | CISA | 2026-05-07 |
| CVE-2026-0300 | 9.8 CRITICAL | Palo Alto Networks/PAN-OS | — | 2026-05-06 | CISA | 2026-05-06 |
| CVE-2026-31431 | 7.8 HIGH | amazon/amazon_linux | — | 2026-04-22 | CIRCL CISA | 2026-05-01 |
| CVE-2026-41940 | 9.8 CRITICAL | cpanel, l.l.c./cpanel & whm | — | 2026-04-29 | ENISA CISA | 2026-04-30 |
| CVE-2024-1708 | 8.4 HIGH | ConnectWise/ScreenConnect | — | 2024-02-21 | CISA | 2026-04-28 |
| CVE-2026-32202 | 4.3 MEDIUM | microsoft/windows_10_1607 | — | 2026-04-14 | CISA | 2026-04-28 |
| CVE-2025-29635 | 7.2 HIGH | dlink/dir-823x_firmware | — | 2025-03-25 | CISA | 2026-04-24 |
| CVE-2024-57728 | 7.2 HIGH | simple-help/simplehelp | — | 2025-01-15 | CISA | 2026-04-24 |
| CVE-2024-57726 | 9.9 CRITICAL | simple-help/simplehelp | — | 2025-01-15 | CISA | 2026-04-24 |
| CVE-2024-7399 | 9.8 CRITICAL | samsung electronics/magicinfo 9 server | — | 2024-08-09 | CISA | 2026-04-24 |
| CVE-2026-39987 | 9.8 CRITICAL | coreweave/marimo | — | 2026-04-09 | CISA | 2026-04-23 |
| CVE-2026-33825 | 7.8 HIGH | microsoft/defender_antimalware_platform | — | 2026-04-14 | CISA | 2026-04-22 |
| CVE-2026-20128 | 7.5 HIGH | Cisco/Catalyst SD-WAN Manager | — | 2026-02-25 | CISA | 2026-04-20 |
| CVE-2026-20122 | 5.4 MEDIUM | Cisco/Catalyst SD-WAN Manager | — | 2026-02-25 | CISA | 2026-04-20 |
| CVE-2023-27351 | 8.2 HIGH | papercut/ng | — | 2023-04-20 | CISA | 2026-04-20 |
| CVE-2024-27199 | 7.3 HIGH | JetBrains/TeamCity | — | 2024-03-04 | CISA | 2026-04-20 |
| CVE-2025-2749 | 7.2 HIGH | Kentico/Xperience | — | 2025-03-24 | CISA | 2026-04-20 |
| CVE-2025-32975 | 10 CRITICAL | quest/kace_systems_management_appliance | — | 2025-06-24 | CISA | 2026-04-20 |
| CVE-2026-20133 | 7.5 HIGH | Cisco/Catalyst SD-WAN Manager | — | 2026-02-25 | CISA | 2026-04-20 |
| CVE-2025-48700 | 6.1 MEDIUM | Synacor/Zimbra Collaboration Suite | — | 2025-06-23 | CISA | 2026-04-20 |
| CVE-2026-34197 | 8.8 HIGH | apache software foundation/apache activemq | — | 2026-04-07 | CISA | 2026-04-16 |
| CVE-2009-0238 | 9.3 HIGH | microsoft/excel | — | 2009-02-25 | CISA | 2026-04-14 |
| CVE-2026-32201 | 6.5 MEDIUM | microsoft/microsoft sharepoint enterprise server 2016 | — | 2026-04-14 | CISA | 2026-04-14 |
| CVE-2026-34621 | 8.6 HIGH | Adobe/Acrobat | — | 2026-04-11 | CISA | 2026-04-13 |
| CVE-2023-36424 | 7.8 HIGH | microsoft/windows_10_1507 | — | 2023-11-14 | CISA | 2026-04-13 |
| CVE-2020-9715 | 9.3 HIGH | adobe/acrobat_dc | — | 2020-08-19 | CISA | 2026-04-13 |
| CVE-2026-21643 | 9.8 CRITICAL | Fortinet/FortiClientEMS | — | 2026-02-06 | CISA | 2026-04-13 |
| CVE-2012-1854 | 7.8 HIGH | microsoft/office | — | 2012-07-10 | CISA | 2026-04-13 |
| CVE-2023-21529 | 8.8 HIGH | Microsoft/Exchange Server | — | 2023-02-14 | CISA | 2026-04-13 |
| CVE-2025-60710 | 7.8 HIGH | microsoft/windows_11_24h2 | — | 2025-11-11 | CISA | 2026-04-13 |
| CVE-2026-1340 | 9.8 CRITICAL | Ivanti/Endpoint Manager Mobile | — | 2026-01-29 | CIRCL ENISA CISA | 2026-02-03 |
| CVE-2026-35616 | 9.8 CRITICAL | Fortinet/FortiClientEMS | — | 2026-04-04 | CIRCL CISA | 2026-04-06 |
| CVE-2026-3502 | 7.8 HIGH | trueconf/trueconf | — | 2026-03-30 | CISA | 2026-04-02 |
| CVE-2026-5281 | 8.8 HIGH | Google/Chrome | — | 2026-04-01 | CISA | 2026-04-01 |
| CVE-2026-3055 | 9.8 CRITICAL | citrix/netscaler_application_delivery_controller | — | 2026-03-23 | CISA | 2026-03-30 |
| CVE-2025-53521 | 9.8 CRITICAL | F5/BIG-IP | — | 2025-10-15 | CISA | 2026-03-27 |
| CVE-2026-33634 | 9.4 CRITICAL | aquasec/setup-trivy | — | 2026-03-23 | CISA | 2026-03-26 |
| CVE-2026-33017 | 9.8 CRITICAL | langflow-ai/langflow | — | 2026-03-20 | CISA | 2026-03-25 |
What are Known Exploited Vulnerabilities (KEV) catalogs?
Known Exploited Vulnerabilities (KEV) catalogs are curated lists of CVEs that have been observed being actively exploited in the wild. Unlike the full NVD database, which contains over 250,000 vulnerabilities, KEV catalogs focus exclusively on threats that pose a real, demonstrated risk to organizations. This makes them essential for vulnerability prioritization and patch management.
Who publishes KEV catalogs?
Several organizations maintain their own KEV catalogs, each with different criteria, geographic focus, and update cadence:
- CISA (Cybersecurity and Infrastructure Security Agency) — the original and most widely adopted KEV catalog, mandated for US federal agencies under BOD 22-01.
- ENISA (European Union Agency for Cybersecurity) — the EU equivalent, contributing a European perspective on actively exploited vulnerabilities.
- CIRCL (Computer Incident Response Center Luxembourg) — a CERT-based catalog with a focus on European and international threat intelligence.
Why compare KEV catalogs?
No single catalog captures every actively exploited vulnerability. Each publisher has different intelligence sources, geographic priorities, and inclusion criteria. By comparing catalogs side-by-side, security teams can identify coverage gaps, discover which source lists a CVE first, and build a more comprehensive view of the threat landscape. The overlap analysis (Jaccard similarity and pairwise coverage) quantifies how much agreement exists between publishers, while the "listed first" metric reveals which source tends to react fastest to emerging threats.
How is this data computed?
CveMate aggregates KEV entries from all supported publishers into a unified graph database. Each vulnerability is linked to every catalog that lists it, along with the date it was added. Statistics such as exclusive counts, overlap intersections, Jaccard similarity scores, and first-lister analysis are computed in real time from this unified dataset. The cumulative chart tracks how each catalog has grown over time, providing a historical view of their respective coverage trajectories.