Research / Report #1
What 135 NVD- and CISA-checked vulnerabilities from our first three months of daily briefings actually show – about exploitation speed, severity inflation, and where CVSS misleads.
What this is. Since March 20, 2026, defend.network has published a threat briefing every single day – 83 briefings over 83 days, plus 12 weekly vulnerability reports. Every CVE mentioned is looked up against the NIST National Vulnerability Database and cross-referenced with the CISA Known Exploited Vulnerabilities (KEV) catalog before publication. This report is the first analysis of that corpus.
Honesty up front. The title rounds up: the exact window is 83 days (March 20 – June 10, 2026). 135 unique CVEs is a small sample – small enough that we report counts, not confidence intervals, and we flag every place where n gets thin. Where the data could not support an analysis, we dropped it rather than padding (two candidate analyses were dropped; see Limitations). Every figure below states its data source, method, and n, and is reproducible (as of the 2026-06-10 snapshot – the feed updates daily) from the JSON files this site serves publicly: /api/v1/cves.json and /api/v1/briefings.json.
37 of the 135 CVEs we covered (27.4%) are in the CISA KEV catalog – a catalog that holds only 1,617 CVEs in total. The pipeline’s exploitation-first ranking is visible in the data: confirmed-exploited vulnerabilities are massively over-represented relative to the general CVE population.
Exploitation evidence across the corpus (n=135)
briefings.json (cveList) and vulnerabilities.json (topCVEs), deduplicated → 135. KEV membership checked for all 135 against the full CISA KEV catalog cached in kev-cache.json (1,617 entries, fetched 2026-06-10). Source-reported / PoC states come from the pipeline’s _state.exploitationState classification (see methodology) and exist only for the 64 pipeline-enriched records – so “none/unknown” is an upper bound. CVSS figures use NVD base scores only (n=62 with an NVD-published score; median 8.8; 29 score ≥9.0). Script: _scratch/analysis2.py in the site repo.Caveat: 71 of 135 CVEs come from weekly reports published before the verification pipeline stored full NVD state (mid-May 2026). For those, we verified KEV membership against the authoritative catalog but excluded them from all CVSS, lag, and EPSS statistics below – their original CVSS values were AI-claimed and we do not treat those as data.
Across 84 automated severity decisions we audited, evidence-based re-scoring overruled the AI’s proposed rating 65 times (77%) – and every single override was downward. Left unchecked, the AI never under-hyped a threat. It only over-hyped: 61 briefings it had rated “critical” became 3.
On 2026-05-29 we centralized severity scoring into a single evidence-based function (NVD CVSS + CISA KEV exploitation state, with text signals capped) and re-scored the entire archive. The before/after is in our public git history, commit 5959330:
Archive severity, before vs. after evidence-based re-scoring (n=72 briefings, 2026-05-29)
Of the 72 re-scored briefings, 58 were lowered, 0 were raised, 14 were unchanged. The two biggest moves: 31 briefings went critical→medium and 27 went critical→high. Since then the same scoring runs live on every new briefing, and the pattern holds: in the 12 days of publish-time telemetry we have (2026-05-30 to 2026-06-10), the AI proposed “high” or “critical” all 12 days; the evidence layer agreed 5 times, lowered it 7 times, and raised it 0 times. The archive today (n=83): 4 critical, 38 high, 36 medium, 5 low.
data/briefings.json at git commit 5959330 against its parent (n=72 briefings; per-briefing severity compared by file slug). Live decisions from data/pipeline-health.json, which records the AI’s proposed severity (severityAi) and the published severity per day (n=12 days available – telemetry only began 2026-05-30; small n, stated as-is). Combined: 72 + 12 = 84 decisions. Scripts: _scratch/analysis3.py. The scoring function itself is documented on the methodology page.Why publish this? Because “AI-generated threat intel” deserves skepticism, and this is what the failure mode looks like in practice: not fabrication of CVEs (the verbatim-source check handles that), but systematic urgency inflation. The fix is structural – severity is now computed from NVD/CISA data and the AI’s rating is capped at medium whenever structured evidence is absent.
For the 17 KEV-listed CVEs in our corpus with both dates on record, the median gap between NVD publication and the CISA KEV listing was 4 days – 12 of 17 (71%) landed within a week, 4 the very same day. The exceptions are extreme: an Oracle WebLogic flaw took 685 days and a 2022 Linux kernel flaw took 1,552 days to be confirmed exploited. The distribution is bimodal; the mean (136 days) describes nothing.
Days from NVD publication to KEV listing, per CVE (n=17, sorted)
Two readings, both supported: (1) for newly disclosed vulnerabilities that get exploited at all, the patch window before confirmed in-the-wild exploitation is now measured in days, not weeks; (2) “old” is not “safe” – CVE-2024-21182 (Oracle WebLogic) and CVE-2022-0492 (Linux cgroups) were both added to KEV in June 2026, years after disclosure. One related observation: of the 28 KEV-listed CVEs that first appeared in a daily briefing, 6 were covered 1–12 days before CISA listed them and 4 more the same day – source-reported exploitation often precedes the official catalog.
| CVE | Vendor (KEV) | NVD published | KEV added | Lag |
|---|---|---|---|---|
| CVE-2026-50751 | Check Point | 2026-06-08 | 2026-06-08 | 0d |
| CVE-2026-34926 | Trend Micro | 2026-05-21 | 2026-05-21 | 0d |
| CVE-2026-41091 | Microsoft | 2026-05-20 | 2026-05-20 | 0d |
| CVE-2026-11645 | 2026-06-09 | 2026-06-09 | 0d | |
| CVE-2025-48595 | Android | 2026-06-01 | 2026-06-02 | 1d |
| CVE-2026-28318 | SolarWinds | 2026-06-04 | 2026-06-05 | 1d |
| CVE-2026-35616 | Fortinet | 2026-04-04 | 2026-04-06 | 2d |
| CVE-2026-9082 | Drupal | 2026-05-20 | 2026-05-22 | 2d |
| CVE-2025-8088 | RARLAB | 2025-08-08 | 2025-08-12 | 4d |
| CVE-2026-7473 | Arista | 2026-06-05 | 2026-06-09 | 4d |
| CVE-2026-48172 | LiteSpeed | 2026-05-21 | 2026-05-26 | 5d |
| CVE-2026-20245 | Cisco | 2026-06-04 | 2026-06-09 | 5d |
| CVE-2026-45247 | Mirasvit | 2026-05-26 | 2026-06-03 | 8d |
| CVE-2026-0257 | Palo Alto Networks | 2026-05-13 | 2026-05-29 | 16d |
| CVE-2026-42271 | BerriAI | 2026-05-08 | 2026-06-08 | 31d |
| CVE-2024-21182 | Oracle | 2024-07-16 | 2026-06-01 | 685d |
| CVE-2022-0492 | Linux | 2022-03-03 | 2026-06-02 | 1,552d |
dateAdded minus NVD published date (both from cached authoritative records; KEV dateAdded has day granularity, so same-day = 0). n=17 of the 37 corpus KEV CVEs – the other 20 lack a cached NVD record (pre-pipeline entries, excluded rather than guessed). We wanted a per-vendor breakdown but no vendor has n≥3 lag pairs, so we dropped it. Small n caveat applies to every percentage in this section. Script: _scratch/analysis2.py.Among the 22 corpus CVEs with EPSS scores on file, four rated CVSS 9.8 (“critical”) carry an EPSS exploitation probability below 0.4% – while the highest EPSS score in the corpus (0.90) belongs to a CVE rated only 7.5. If you patch by CVSS rank alone, both lists betray you.
CVSS base score vs. EPSS exploitation probability (n=22)
The divergence runs both ways. Downward: CVE-2026-3300, CVE-2026-8206, CVE-2026-8732, and CVE-2026-41089 are all CVSS 9.8 with EPSS below 0.4% – maximal on paper, near-zero predicted exploitation. Upward: CVE-2024-21182 (Oracle WebLogic) is rated 7.5 – not even “critical” – yet has EPSS 0.90 (99.6th percentile) and is now KEV-listed. And a third signal beats both: 4 of the 15 KEV-listed CVEs in this sample carry EPSS under 1%, including CVE-2026-11645 (Chrome V8), which CISA confirmed exploited the same day NVD published it. EPSS is a prediction; KEV is an observation – when they disagree, the observation wins.
_epss: score, percentile) joined with their NVD CVSS base score and KEV membership. n=22 and biased to recent CVEs – our pipeline only began attaching EPSS on 2026-06-04, so this covers CVEs enriched since then. Points at the zero line are jittered by a few pixels (≤0.08 CVSS / ≤0.02 EPSS) so overlapping dots stay visible; exact values are in the dataset. This is an observation about our corpus, not a general claim about CVSS/EPSS correlation – n is far too small for that. Script: _scratch/analysis2.py.135 CVEs map to 87 distinct vendors – 70 of them appear exactly once. At the head of the distribution, industrial-control vendors ABB (7), Siemens (3), and Hitachi (3) together account for 13 CVEs: as many as Microsoft and Cisco combined.
Most-recurring vendors in the corpus (unique CVEs; n=125 attributed)
The ABB/Siemens/Hitachi cluster largely reflects CISA ICS advisories flowing into our weekly reports – a reminder that an exploitation-first feed surfaces operational-technology exposure that consumer-tech headlines skip. The long tail (70 of 87 vendors appearing once) matches what defenders experience: most risk arrives from software you forgot you ran.
vendorProject → NVD CPE vendor → the report’s vendor/product string (first token). 125 of 135 CVEs attributable; counts are unique CVEs, not mentions. Name normalization is light (case-folding plus a short alias list), so closely related entries (e.g. Google / Android / Chromium) are counted as KEV lists them – treat ±1 as noise. Script: _scratch/analysis2.py.Small n, short window. 83 briefings, 135 CVEs, 83 days. These are counts from one young corpus, not industry statistics. Percentages above are descriptive; none should be extrapolated beyond this dataset.
Two-tier verification depth. 71 of 135 CVEs predate the pipeline storing full NVD state (mid-May 2026). All 135 were checked against the KEV catalog, but only the 64 pipeline-enriched records contribute to CVSS, lag, and EPSS figures.
Dropped analyses. (1) NVD enrichment lag – how long CVEs stayed “partially verified” before NVD data landed – was dropped because briefings are re-enriched in place: the historical state isn’t recorded, and the 12 days of publish-time telemetry we do have contain only 2 reserved-at-publish CVEs. (2) Per-vendor KEV-lag medians – dropped because no vendor reaches n=3. We’d rather show fewer findings than manufacture them.
Reproduce it. Raw data: /api/v1/cves.json and /api/v1/briefings.json (the same JSON this site renders from), plus the public CISA KEV catalog and NVD. The severity re-score before/after is verifiable in the site’s git history (commit 5959330, 2026-05-29). Found an error? contact@defend.network – we correct promptly and say so.
The corpus behind this report grows by one briefing every day at 04:00 UTC. Free for security professionals.