Browse every CVE in the CISA KEV catalog. Filter by vendor, product, ransomware use, or BOD 22-01 due date. Updated daily from cisa.gov.
ReferenceWhat is the CISA KEV catalog?
The Known Exploited Vulnerabilities (KEV) catalog is a CISA-maintained list of CVEs confirmed to be actively exploited in the wild. It is the authoritative answer to "is this vulnerability really being used by attackers?" Unlike EPSS (which is a probability), KEV is a binary, evidence-based signal — if a CVE is on the KEV list, it has been observed in real attacks.
For US federal agencies, BOD 22-01 makes remediation of KEV CVEs mandatory by the listed due date. For everyone else, KEV is the strongest possible "patch this now" signal you can get from public threat intel.
ComparisonKEV vs EPSS vs CVSS — how do they fit together?
| Signal | What it answers | Use |
|---|
| CVSS | How bad is this vulnerability if it is exploited? | Severity (theoretical) |
| EPSS | How likely is this vulnerability to be exploited in the next 30 days? | Probability (forecast) |
| KEV | Is this vulnerability already being exploited, with public evidence? | Binary (confirmed) |
The right priority order, in plain English: anything in KEV is patched first. Among non-KEV items, sort by EPSS percentile descending. Use CVSS as a tiebreaker.
API
Want this in your SOAR or SIEM?
SARA Open ships an OpenAI-compatible API. Call POST /api/v1/analyze — SARA returns EPSS, CVSS, KEV status, and an analyst-grade written summary in one call.
curl -X POST https://sara-open.sirp.io/api/v1/analyze \
-H "Authorization: Bearer $SARA_API_KEY" \
-H "Content-Type: application/json" \
-d '{"type": "cve", "value": "CVE-2021-44228"}'
Read the API reference →
FAQFrequently asked questions
How often does CISA update the KEV catalog?
Whenever new exploitation evidence is confirmed — typically several updates per month, sometimes multiple in a week. This browser refreshes from CISA daily and reflects the most recent ingest.
Is the KEV catalog mandatory for non-federal organizations?
No, but it is widely treated as the de-facto standard for must-patch prioritization, and is increasingly cited by cyber-insurers, auditors, and regulators.
What does ransomware use mean in the KEV catalog?
CISA flags CVEs known to have been exploited in ransomware campaigns. This is the highest-urgency tier for many SOCs and a frequent input to ransomware tabletop exercises.
Can I bulk-export the KEV catalog?
Yes. CISA publishes the full catalog as JSON and CSV directly. SARA's API additionally returns SARA's analyst-written summary alongside each row — useful for triage queues.
Does this browser show every KEV CVE, or just popular ones?
Every entry in the catalog. The full list is searchable here.
What is BOD 22-01?
Binding Operational Directive 22-01, issued by CISA, requires US federal civilian executive-branch agencies to remediate vulnerabilities in the KEV catalog by the listed due date. Most non-federal organizations adopt similar SLAs informally.