What Is the CISA KEV List and Why Every Developer Should Check It

There are hundreds of thousands of CVEs in the NVD. A small subset — roughly 1,100 as of mid-2026 — are actively being used in real attacks right now. The CISA Known Exploited Vulnerabilities catalog is the authoritative list of that subset.

What CISA is and why its list matters

CISA is the US Cybersecurity and Infrastructure Security Agency. The KEV catalog was created in November 2021 and is updated multiple times per week when new evidence of active exploitation is confirmed. Federal agencies are legally required to patch KEV entries within defined deadlines.

How a CVE gets added to the KEV list

CISA adds a CVE when three conditions are met: valid CVE ID, reliable evidence of active exploitation in the wild, and clear remediation guidance exists. KEV entries represent confirmed exploitation — not theoretical or proof-of-concept activity.

KEV entries in EOLCanary's database

EOLCanary flags every CVE on the CISA KEV list with a dedicated badge on product pages. As of June 2026, Redis, OpenSSL, and several Linux kernel versions have KEV-listed CVEs in their affected version ranges.

KEV vs CVSS: which score to prioritize

CVSS measures theoretical severity. A CVSS 9.8 vulnerability with no known exploits is less immediately dangerous than a CVSS 7.2 vulnerability on the KEV list. The correct prioritization: KEV entries first regardless of CVSS score, then CVSS Critical with high EPSS, then CVSS High.

How to check your stack against the KEV list

EOLCanary ingests the CISA KEV feed daily and cross-references every entry against tracked product versions. Any KEV badge on EOLCanary means confirmed active exploitation against that version.

Browse KEV-flagged CVEs on EOLCanary's technology directory.