The CISA Known Exploited Vulnerabilities catalog answers a question that a raw vulnerability feed cannot: of the thousands of CVEs published, which ones are attackers actually using right now? The KEV catalog is CISA's managed list of vulnerabilities with reliable evidence of active exploitation in the wild, and inclusion in it carries a concrete obligation for U.S. federal civilian agencies. It was created by Binding Operational Directive 22-01, "Reducing the Significant Risk of Known Exploited Vulnerabilities", issued November 3, 2021.

The directive's own framing makes the catalog's purpose and authority explicit, and the sentence below is the load-bearing one.

"This directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog."— CISA Binding Operational Directive 22-01, source

Two design choices define the KEV catalog. The first is the inclusion criterion: a vulnerability is added only when there is reliable evidence it is being actively exploited, which is why CISA describes the cataloged bugs as active threats rather than merely severe ones. The second is the obligation: BOD 22-01 sets remediation due dates for the federal civilian agencies it covers, turning the catalog from an advisory list into an enforceable patch schedule. As of its June 18, 2026 release (catalog version 2026.06.18), the catalog contained 1,623 entries — each a vulnerability with documented exploitation, a vendor and product, a date added, and a required remediation date.

Why KEV outranks a CVSS score

The most important conceptual shift the KEV catalog embodies is moving prioritization away from severity scores alone. The Common Vulnerability Scoring System (CVSS) rates how bad a vulnerability could be in theory, but a high CVSS score does not tell a defender whether anyone is exploiting the bug. CISA addresses that gap directly in the directive's guidance, explaining the reorientation in plain terms.

"BOD 22-01 shifts the focus to those vulnerabilities that are active threats. CISA acknowledges CVSS scoring can still be a part of an organization’s vulnerability management efforts, especially with machine-to-machine communication and large-scale automation."— CISA Binding Operational Directive 22-01, source

The practical logic is one of finite remediation capacity. No organization can patch everything immediately, so the question is what to patch first. CVSS answers "how dangerous is this in principle"; KEV answers "is this being used against organizations now." A vulnerability that is actively exploited is, by definition, the one most likely to be turned against the next target, regardless of whether its theoretical severity score is a 9.8 or a 7.5. CISA's own reasoning in the directive notes that vulnerabilities used to exploit public and private organizations are a frequent attack vector for malicious actors and pose significant risk, which is why aggressive remediation of known exploited vulnerabilities is treated as essential.

How to read the catalog

The KEV catalog is published as a machine-readable feed and updated as new evidence of exploitation emerges, so additions arrive throughout the year rather than on a fixed cadence. Each entry names the affected vendor and product, the CVE identifier, the date the vulnerability was added, a short description of the required action, and — for federal agencies — the due date by which it must be remediated. While the binding remediation requirement applies to federal civilian agencies, CISA strongly encourages all organizations to use the catalog as an input to their own prioritization, because the evidence of active exploitation it represents is equally relevant outside government.

The structured feed is what makes the catalog operational rather than merely informative. Because each entry carries a CVE identifier, a vendor, a product, and dates in a consistent format, defenders can join the KEV list against their own asset and vulnerability-management inventories automatically — surfacing exactly which systems in an environment carry a vulnerability that is currently being exploited. That machine-to-machine usability is the bridge between CISA's point that CVSS still has a role in large-scale automation and the directive's reorientation toward active threats: an organization can keep using CVSS for broad triage while treating a KEV listing as a hard signal to move a vulnerability to the front of the queue.

The growth of the catalog is itself informative. By its June 18, 2026 version it held 1,623 entries, each representing a vulnerability for which CISA recorded reliable evidence of exploitation. The list spans operating systems, network appliances, web applications, and plugins — recent additions have included products as varied as enterprise log-analysis software, content-management editors, and hosting-control-panel plugins — underscoring that active exploitation is not confined to any one class of software. For a defender, that breadth is the argument for consulting the catalog directly rather than assuming exploitation is concentrated in the highest-profile vendors.

One limitation is worth stating plainly so the catalog is read for what it is. Absence from the KEV list does not mean a vulnerability is safe; it means CISA has not recorded reliable evidence of active exploitation, which can lag real-world activity or simply reflect that exploitation has not yet been observed. KEV is a positive signal — a confirmed "this is being used" — not a negative one. That is precisely why CISA preserves a role for CVSS and broader vulnerability management alongside it: the catalog tells a defender which known threats are live, while other tools estimate the risk of the much larger universe of vulnerabilities for which exploitation has not been confirmed. Used together, KEV provides the urgency signal and CVSS-style scoring provides the breadth.

For a defender, the document-grounded takeaway is straightforward: the KEV catalog is the authoritative, CISA-maintained list of vulnerabilities known to be exploited in the wild, established with binding remediation force by BOD 22-01, and built to prioritize active threats over theoretical severity. When a new CVE appears in the catalog, that is the signal that it has moved from "could be exploited" to "is being exploited," and the directive's text — establishing the catalog and the obligation to remediate it — is the primary source for what that listing means.