What this is. Across Apr–Jun 2026, defend.network published 90 daily threat briefings and 12 weekly vulnerability reports. Every CVE mentioned is looked up against the NIST National Vulnerability Database and cross-referenced with the CISA Known Exploited Vulnerabilities (KEV) catalog before publication. This report analyzes that quarter’s corpus.

Honesty up front. 109 unique CVEs is a small sample – we report counts, not confidence intervals, and flag every place n gets thin. Where the data could not support an analysis, we dropped it rather than padding (see Limitations). Every figure states its source, method, and n.

1. The corpus: 109 CVEs, 39% confirmed exploited

109unique CVEs
39.4%in CISA KEV
8.8median CVSS (n=105)
90daily briefings

43 of the 109 CVEs covered this quarter (39.4%) are in the CISA KEV catalog – a catalog that holds only 1,630 entries in total. An exploitation-first feed massively over-represents confirmed-exploited vulnerabilities relative to the general CVE population.

Exploitation evidence across the corpus (n=109)

CISA KEV-confirmed43Source-reported4Public PoC0None / unknown62
How we computed this: union of all CVE IDs in briefings.json (cveList) and vulnerabilities.json (topCVEs) within the window, deduplicated → 109. KEV membership checked against the full CISA KEV catalog (1,630 entries). Exploitation tier from the pipeline’s _state.exploitationState. CVSS uses NVD base scores only (n=105; 37 score ≥9.0).

2. The AI over-rates severity – the evidence layer corrects it

Across 31 publish-time severity decisions this quarter, the evidence layer overruled the AI’s proposed rating 19 times – and not once did it raise a rating the data didn’t support. The AI’s instinct runs hot; the data pulls it back.

Publish-time severity decisions, AI vs. evidence (n=31 days)

Agreed with AI12Lowered by evidence19Raised by evidence0

Severity is computed from NVD CVSS and CISA KEV exploitation state, with text signals capped – the same function on every briefing. The quarter’s published severity mix: 2 critical, 42 high, 40 medium, 6 low.

How we computed this: from data/pipeline-health.json, which records the AI’s proposed severity (severityAi) and the published severity per day. n=31 days in window; small n stated as-is.

3. Disclosure to KEV: how fast exploitation is confirmed

For the 38 KEV-listed CVEs this quarter with both dates on record, the median gap from NVD publication to CISA KEV listing was 4.0 days – 24 of 38 (63%) within a week, 7 the same day. But “old” is not “safe”: CVE-2022-0492 took 1,552 days from disclosure to KEV listing. The distribution is bimodal; the mean (94.9 days) describes nothing.

Days from NVD publication to KEV listing, per CVE (n=38, sorted)

0d7d14d21d28dCisco0Check Point0Trend Micro0Microsoft0Cisco0Google0Google0Oracle1Android1WebPros1LiteSpeed1SolarWinds1Fortinet2Drupal2Adobe2Meta2Ivanti2TrueConf3RARLAB4Arista4Cisco5LiteSpeed5BeyondTrust7PTC7Splunk8Mirasvit8Linux9Apache9Widget Factory11Palo Alto Networ16SimpleHelp 17Cisco22BerriAI31Lantronix104SimpleHelp 464Samsung620Oracle685Linux1,552

Of the 30 KEV CVEs first seen in a daily briefing, 6 were covered before CISA listed them and 5 the same day – source-reported exploitation often precedes the official catalog.

CVEVendor (KEV)NVD publishedKEV addedLag
CVE-2026-20262Cisco2026-06-152026-06-150d
CVE-2026-50751Check Point2026-06-082026-06-080d
CVE-2026-34926Trend Micro2026-05-212026-05-210d
CVE-2026-41091Microsoft2026-05-202026-05-200d
CVE-2026-20182Cisco2026-05-142026-05-140d
CVE-2026-5281Google2026-04-012026-04-010d
CVE-2026-11645Google2026-06-092026-06-090d
CVE-2026-35273Oracle2026-06-112026-06-121d
CVE-2025-48595Android2026-06-012026-06-021d
CVE-2026-41940WebPros2026-04-292026-04-301d
CVE-2026-54420LiteSpeed2026-06-142026-06-151d
CVE-2026-28318SolarWinds2026-06-042026-06-051d
CVE-2026-35616Fortinet2026-04-042026-04-062d
CVE-2026-9082Drupal2026-05-202026-05-222d
CVE-2026-34621Adobe2026-04-112026-04-132d
CVE-2025-55182Meta2025-12-032025-12-052d
CVE-2026-10520Ivanti2026-06-092026-06-112d
CVE-2026-3502TrueConf2026-03-302026-04-023d
CVE-2025-8088RARLAB2025-08-082025-08-124d
CVE-2026-7473Arista2026-06-052026-06-094d
CVE-2026-20245Cisco2026-06-042026-06-095d
CVE-2026-48172LiteSpeed2026-05-212026-05-265d
CVE-2026-1731BeyondTrust2026-02-062026-02-137d
CVE-2026-12569PTC2026-06-182026-06-257d
CVE-2026-20253Splunk2026-06-102026-06-188d
CVE-2026-45247Mirasvit2026-05-262026-06-038d
CVE-2026-31431Linux2026-04-222026-05-019d
CVE-2026-34197Apache2026-04-072026-04-169d
CVE-2026-48907Widget Factory2026-06-052026-06-1611d
CVE-2026-0257Palo Alto Networks2026-05-132026-05-2916d
CVE-2026-48558SimpleHelp 2026-06-122026-06-2917d
CVE-2026-20230Cisco2026-06-032026-06-2522d
CVE-2026-42271BerriAI2026-05-082026-06-0831d
CVE-2025-67038Lantronix2026-03-112026-06-23104d
CVE-2024-57726SimpleHelp 2025-01-152026-04-24464d
CVE-2024-7399Samsung2024-08-122026-04-24620d
CVE-2024-21182Oracle2024-07-162026-06-01685d
CVE-2022-0492Linux2022-03-032026-06-021,552d
How we computed this: for each corpus CVE in the CISA KEV catalog, lag = KEV dateAdded minus NVD published (both from cached authoritative records; day granularity, so same-day = 0). n=38 KEV CVEs with both dates; the rest lack a cached NVD record and are excluded rather than guessed.

4. CVSS and EPSS disagree about which CVEs matter

Among the 40 CVEs with both a CVSS score and a FIRST.org EPSS probability, 8 rated CVSS ≥9 (“critical”) carry an EPSS exploitation probability below 4% – while the highest EPSS in the corpus (0.90) belongs to CVE-2024-21182, rated only 7.5. Patch by CVSS rank alone and both lists betray you.

CVSS base score vs. EPSS exploitation probability (n=40)

0.25.50.751.05.06.07.08.09.010CVSS base score →EPSS →KEVnot
How we computed this: all corpus CVEs carrying a FIRST.org EPSS record (_epss) joined with their NVD CVSS base score and KEV membership. n=40 and biased toward recently-enriched CVEs. Overlapping points are jittered a few pixels so dots stay visible; exact values are in the dataset. An observation about this corpus, not a general CVSS/EPSS claim – n is far too small.

5. The vendor list is a long tail

109 CVEs map to 69 distinct vendors – 54 of them appear exactly once.

Most-recurring vendors in the corpus (unique CVEs; n=108 attributed)

Linux13Microsoft5Cisco4Fortinet4D-Link4Ivanti3Apache3OT / industrial-control vendor

The long tail (54 of 69 vendors appearing once) matches what defenders experience: most risk arrives from software you forgot you ran.

How we computed this: vendor attribution per CVE, in priority order: CISA KEV vendorProject → NVD CPE vendor → the report’s vendor string (first token). 108 of 109 CVEs attributable; counts are unique CVEs. Name normalization is light (case-folding + a short alias list) – treat ±1 as noise.

Limitations & what we refused to claim

Small n, one quarter. 90 briefings, 109 CVEs, one calendar quarter. These are counts from one young corpus, not industry statistics – descriptive, not predictive, and not to be extrapolated beyond this dataset.

Reproduce it. Raw data: /api/v1/cves.json and /api/v1/briefings.json (the live feeds this site serves – they keep growing, so current counts exceed this fixed 2026-04-01 → 2026-06-30 window), plus the public CISA KEV catalog and NVD. Found an error? contact@defend.network – we correct promptly and say so.

License. This dataset (the CVE selection, annotations, and aggregates) is licensed CC BY 4.0 – reuse it freely with attribution to defend.network. The underlying NVD and CISA KEV records are public data.

Get the verified feed, daily

The corpus behind this report grows by one briefing every day at 04:00 UTC. Free for security professionals.