CISA KEV — Known Exploited Vulnerabilities
The CISA KEV (Known Exploited Vulnerabilities) catalog is a list maintained by the US Cybersecurity and Infrastructure Security Agency of vulnerabilities that have been confirmed to be actively exploited in real-world attacks. Unlike the full CVE database which contains tens of thousands of theoretical vulnerabilities, the KEV catalog only includes ones where exploitation has been observed in the wild.
Why KEV is more useful than raw CVE counts
There are over 200,000 CVEs in the NVD. The vast majority will never be exploited against most organizations. Trying to fix everything is impossible — and not necessary. The CISA KEV catalog cuts through the noise: if a CVE is on this list, it's being used in attacks right now. Fix these first.
US federal civilian agencies are legally required to remediate KEV entries within defined timeframes (usually 2 weeks for internet-facing systems). But the list is valuable for any organization — it's the clearest signal available for prioritization.
Open source packages on CISA KEV
The KEV catalog isn't just for government systems — it includes vulnerabilities in widely-used open source packages. Some notable entries relevant to developers:
- Log4j (Log4Shell) — CVE-2021-44228
- Spring Framework (Spring4Shell) — CVE-2022-22965
- Apache Commons Text (Text4Shell) — CVE-2022-42889
- lodash, qs, minimist, jsonwebtoken, vm2 — all npm packages
- SnakeYAML, Netty, Commons Collections — Java packages
How PackageFix uses CISA KEV
PackageFix checks every scanned package against the live CISA KEV catalog, which updates daily. Packages on the KEV list get a red 🔴 CISA KEV badge and appear in the ACTIVELY EXPLOITED banner at the top of scan results — separate from the regular CVE table.
Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.
Open PackageFix →Free · No signup · No CLI · Runs in your browser