Research / Report #2
What 109 verified CVEs from Apr–Jun 2026 daily briefings reveal about exploitation speed, severity calibration, and where CVSS misleads.
What this is. Across Apr–Jun 2026, defend.network published 90 daily threat briefings and 12 weekly vulnerability reports. Every CVE mentioned is looked up against the NIST National Vulnerability Database and cross-referenced with the CISA Known Exploited Vulnerabilities (KEV) catalog before publication. This report analyzes that quarter’s corpus.
Honesty up front. 109 unique CVEs is a small sample – we report counts, not confidence intervals, and flag every place n gets thin. Where the data could not support an analysis, we dropped it rather than padding (see Limitations). Every figure states its source, method, and n.
43 of the 109 CVEs covered this quarter (39.4%) are in the CISA KEV catalog – a catalog that holds only 1,630 entries in total. An exploitation-first feed massively over-represents confirmed-exploited vulnerabilities relative to the general CVE population.
Exploitation evidence across the corpus (n=109)
briefings.json (cveList) and vulnerabilities.json (topCVEs) within the window, deduplicated → 109. KEV membership checked against the full CISA KEV catalog (1,630 entries). Exploitation tier from the pipeline’s _state.exploitationState. CVSS uses NVD base scores only (n=105; 37 score ≥9.0).Across 31 publish-time severity decisions this quarter, the evidence layer overruled the AI’s proposed rating 19 times – and not once did it raise a rating the data didn’t support. The AI’s instinct runs hot; the data pulls it back.
Publish-time severity decisions, AI vs. evidence (n=31 days)
Severity is computed from NVD CVSS and CISA KEV exploitation state, with text signals capped – the same function on every briefing. The quarter’s published severity mix: 2 critical, 42 high, 40 medium, 6 low.
data/pipeline-health.json, which records the AI’s proposed severity (severityAi) and the published severity per day. n=31 days in window; small n stated as-is.For the 38 KEV-listed CVEs this quarter with both dates on record, the median gap from NVD publication to CISA KEV listing was 4.0 days – 24 of 38 (63%) within a week, 7 the same day. But “old” is not “safe”: CVE-2022-0492 took 1,552 days from disclosure to KEV listing. The distribution is bimodal; the mean (94.9 days) describes nothing.
Days from NVD publication to KEV listing, per CVE (n=38, sorted)
Of the 30 KEV CVEs first seen in a daily briefing, 6 were covered before CISA listed them and 5 the same day – source-reported exploitation often precedes the official catalog.
| CVE | Vendor (KEV) | NVD published | KEV added | Lag |
|---|---|---|---|---|
| CVE-2026-20262 | Cisco | 2026-06-15 | 2026-06-15 | 0d |
| CVE-2026-50751 | Check Point | 2026-06-08 | 2026-06-08 | 0d |
| CVE-2026-34926 | Trend Micro | 2026-05-21 | 2026-05-21 | 0d |
| CVE-2026-41091 | Microsoft | 2026-05-20 | 2026-05-20 | 0d |
| CVE-2026-20182 | Cisco | 2026-05-14 | 2026-05-14 | 0d |
| CVE-2026-5281 | 2026-04-01 | 2026-04-01 | 0d | |
| CVE-2026-11645 | 2026-06-09 | 2026-06-09 | 0d | |
| CVE-2026-35273 | Oracle | 2026-06-11 | 2026-06-12 | 1d |
| CVE-2025-48595 | Android | 2026-06-01 | 2026-06-02 | 1d |
| CVE-2026-41940 | WebPros | 2026-04-29 | 2026-04-30 | 1d |
| CVE-2026-54420 | LiteSpeed | 2026-06-14 | 2026-06-15 | 1d |
| CVE-2026-28318 | SolarWinds | 2026-06-04 | 2026-06-05 | 1d |
| CVE-2026-35616 | Fortinet | 2026-04-04 | 2026-04-06 | 2d |
| CVE-2026-9082 | Drupal | 2026-05-20 | 2026-05-22 | 2d |
| CVE-2026-34621 | Adobe | 2026-04-11 | 2026-04-13 | 2d |
| CVE-2025-55182 | Meta | 2025-12-03 | 2025-12-05 | 2d |
| CVE-2026-10520 | Ivanti | 2026-06-09 | 2026-06-11 | 2d |
| CVE-2026-3502 | TrueConf | 2026-03-30 | 2026-04-02 | 3d |
| CVE-2025-8088 | RARLAB | 2025-08-08 | 2025-08-12 | 4d |
| CVE-2026-7473 | Arista | 2026-06-05 | 2026-06-09 | 4d |
| CVE-2026-20245 | Cisco | 2026-06-04 | 2026-06-09 | 5d |
| CVE-2026-48172 | LiteSpeed | 2026-05-21 | 2026-05-26 | 5d |
| CVE-2026-1731 | BeyondTrust | 2026-02-06 | 2026-02-13 | 7d |
| CVE-2026-12569 | PTC | 2026-06-18 | 2026-06-25 | 7d |
| CVE-2026-20253 | Splunk | 2026-06-10 | 2026-06-18 | 8d |
| CVE-2026-45247 | Mirasvit | 2026-05-26 | 2026-06-03 | 8d |
| CVE-2026-31431 | Linux | 2026-04-22 | 2026-05-01 | 9d |
| CVE-2026-34197 | Apache | 2026-04-07 | 2026-04-16 | 9d |
| CVE-2026-48907 | Widget Factory | 2026-06-05 | 2026-06-16 | 11d |
| CVE-2026-0257 | Palo Alto Networks | 2026-05-13 | 2026-05-29 | 16d |
| CVE-2026-48558 | SimpleHelp | 2026-06-12 | 2026-06-29 | 17d |
| CVE-2026-20230 | Cisco | 2026-06-03 | 2026-06-25 | 22d |
| CVE-2026-42271 | BerriAI | 2026-05-08 | 2026-06-08 | 31d |
| CVE-2025-67038 | Lantronix | 2026-03-11 | 2026-06-23 | 104d |
| CVE-2024-57726 | SimpleHelp | 2025-01-15 | 2026-04-24 | 464d |
| CVE-2024-7399 | Samsung | 2024-08-12 | 2026-04-24 | 620d |
| CVE-2024-21182 | Oracle | 2024-07-16 | 2026-06-01 | 685d |
| CVE-2022-0492 | Linux | 2022-03-03 | 2026-06-02 | 1,552d |
dateAdded minus NVD published (both from cached authoritative records; day granularity, so same-day = 0). n=38 KEV CVEs with both dates; the rest lack a cached NVD record and are excluded rather than guessed.Among the 40 CVEs with both a CVSS score and a FIRST.org EPSS probability, 8 rated CVSS ≥9 (“critical”) carry an EPSS exploitation probability below 4% – while the highest EPSS in the corpus (0.90) belongs to CVE-2024-21182, rated only 7.5. Patch by CVSS rank alone and both lists betray you.
CVSS base score vs. EPSS exploitation probability (n=40)
_epss) joined with their NVD CVSS base score and KEV membership. n=40 and biased toward recently-enriched CVEs. Overlapping points are jittered a few pixels so dots stay visible; exact values are in the dataset. An observation about this corpus, not a general CVSS/EPSS claim – n is far too small.109 CVEs map to 69 distinct vendors – 54 of them appear exactly once.
Most-recurring vendors in the corpus (unique CVEs; n=108 attributed)
The long tail (54 of 69 vendors appearing once) matches what defenders experience: most risk arrives from software you forgot you ran.
vendorProject → NVD CPE vendor → the report’s vendor string (first token). 108 of 109 CVEs attributable; counts are unique CVEs. Name normalization is light (case-folding + a short alias list) – treat ±1 as noise.Small n, one quarter. 90 briefings, 109 CVEs, one calendar quarter. These are counts from one young corpus, not industry statistics – descriptive, not predictive, and not to be extrapolated beyond this dataset.
Reproduce it. Raw data: /api/v1/cves.json and /api/v1/briefings.json (the live feeds this site serves – they keep growing, so current counts exceed this fixed 2026-04-01 → 2026-06-30 window), plus the public CISA KEV catalog and NVD. Found an error? contact@defend.network – we correct promptly and say so.
License. This dataset (the CVE selection, annotations, and aggregates) is licensed CC BY 4.0 – reuse it freely with attribution to defend.network. The underlying NVD and CISA KEV records are public data.
The corpus behind this report grows by one briefing every day at 04:00 UTC. Free for security professionals.