IN Q2 2026, 75 vulnerabilities were added to the CISA's Known Exploited Vulnerabilities (KEV) catalog, marking a 5.6% increase from the previous quarter. Notably, 21 of these vulnerabilities had a critical CVSS score of 9.0 or higher, indicating high severity. Microsoft was the most targeted vendor with 15 exploited CVEs, followed by Cisco with 7.
The average time between CVE publication and exploitation was 1,072 days, skewed by old vulnerabilities; nonetheless, 22% were exploited within just 7 days of publication. The report highlights a need for urgent patching strategies, as many vulnerabilities are weaponized quickly, presenting significant risks.