RELEASE Date March 20, 2026. According to CISA, five new vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation.
The CVEs are CVE-2025-31277 Apple Multiple Products Buffer Overflow Vulnerability, CVE-2025-32432 Craft CMS Code Injection Vulnerability, CVE-2025-43510 Apple Multiple Products Improper Locking Vulnerability, CVE-2025-43520 Apple Multiple Products Classic Buffer Overflow Vulnerability, and CVE-2025-54068 Laravel Livewire Code Injection Vulnerability. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures that carry significant risk to the federal enterprise, and BOD 22-01 requires agencies to remediate identified vulnerabilities by the due date. CISA urges all organisations to prioritise timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.