CISA has added one new vulnerability, CVE-2026-35273, related to Oracle PeopleSoft Enterprise, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. This vulnerability is considered a significant risk for federal enterprises. The Binding Operational Directive (BOD) 26-04 emphasizes the need for federal agencies to prioritize remediation of high-risk vulnerabilities, particularly those in the KEV catalog.
While BOD 26-04 applies only to Federal Civilian Executive Branch agencies, CISA recommends all organizations adopt similar risk-based vulnerability management practices. Organizations aware of vulnerabilities not listed in the KEV catalog are encouraged to submit nominations.