Critical vulnerabilities and CVEs
How to prioritize risks with public NVD and CISA KEV data — volume, severity and what really matters to defend.
What is a CVE and why volume matters
CVE (Common Vulnerabilities and Exposures) is a unique identifier for each known security vulnerability, published by NIST's NVD (National Vulnerability Database). Each CVE includes a CVSS (Common Vulnerability Scoring System) score from 0 to 10 indicating severity.
Real CVE volume (last 30 days) — NVD
Data collected via NVD API (NIST). June 2026. VAIA updates this data periodically.
CISA KEV: the list that really matters
CISA (Cybersecurity and Infrastructure Security Agency) maintains the Known Exploited Vulnerabilities (KEV) catalog — a list of CVEs with confirmed active exploitation in the field. While NVD lists all known CVEs, KEV lists only those attackers are already actively using. It is the highest priority list.
- 1. CISA KEV first — requires immediate remediation if the system is exposed.
- 2. CVSS ≥ 9.0 in internet-facing systems — critical with high attack visibility.
- 3. CVSS 7.0–8.9 in systems with sensitive data — high contextual risk.
- 4. CVEs ≤ 6.9 in isolated systems — remediate in normal patch management cycle.
What VAIA identified about vulnerabilities
54 vulnerabilities in CISA KEV — all with confirmed exploitation
VAIA monitored 54 CISA KEV entries with documented active exploitation. These vulnerabilities affect products from widely used vendors — any organization with these systems needs to prioritize immediately.
NPM supply chain as an emerging vector
The TanStack Router compromise via NPM signaled that the attack surface migrated to open source dependencies. Packages with many downloads but few maintainers are the next critical vector to monitor.
Related editorial signals
Monitor CVEs in real time
Access VAIA's Security panel for the complete dynamic view, including CVEs by severity, defensive hiring and active threat signals.
Guides by topic