State of Exploited Vulnerabilities — Q2 2026
Coverage period: April 1 – June 30, 2026
Data source: CISA Known Exploited Vulnerabilities (KEV) catalog + Daily CyberSecurity CVE Watchtower
Published: July 2026
Executive Summary
CISA added 75 vulnerabilities to the Known Exploited Vulnerabilities catalog in Q2 2026, a 5.6% increase from the 71 additions recorded in Q1. More than a quarter of those — 28%, or 21 CVEs — carried a Critical CVSS score of 9.0 or above. The average EPSS score across all 75 entries was 40.8%, and 30 CVEs exceeded the 50% exploitation probability threshold. The median CVSS was 8.6, confirming that the vulnerabilities reaching active exploitation this quarter were consistently high-severity, not edge cases.
Microsoft remained the most-targeted vendor with 15 confirmed exploited CVEs. Cisco came second with 7. Notably, three smaller vendors — SimpleHelp, Ubiquiti, and BerriAI — each appeared with 3 or more exploited CVEs, signaling that attackers are no longer limiting their focus to tier-one enterprise targets.
The single most striking data point this quarter is the Publication → KEV gap. The average gap between a CVE’s publication date and its appearance in the KEV catalog was 1,072 days — nearly three years. However, the median was just 68 days, revealing that a small number of very old CVEs are skewing the average sharply upward. The most urgent figure for defenders is this: 22% of exploited CVEs in Q2 were weaponized within 7 days of publication. One in five confirmed exploitations happened before most patch cycles could respond.
1. Headline Numbers
| Metric | Q2 2026 | Q1 2026 | Change |
|---|---|---|---|
| KEV additions | 75 | 71 | +5.6% |
| Critical (CVSS ≥ 9) | 21 (28%) | — | — |
| EPSS ≥ 50% | 30 | — | — |
| Average EPSS | 40.8% | — | — |
| Median CVSS | 8.6 | — | — |
The quarter-over-quarter increase was modest, but the severity profile remained elevated. A median CVSS of 8.6 means the typical exploited CVE this quarter sat firmly in the High-to-Critical range, leaving little room for a “wait and assess” patching posture.
2. Monthly Breakdown
| Month | KEV Additions |
|---|---|
| April 2026 | 31 |
| May 2026 | 21 |
| June 2026 | 23 |
April was the heaviest month, accounting for 41% of the quarter’s total additions. This aligns with Microsoft’s April Patch Tuesday cycle and a cluster of network device vulnerabilities disclosed in late March that entered KEV in early April. May saw the lowest volume, though it included two of the quarter’s highest-EPSS entries. June recovered to 23 additions, driven by Oracle and Splunk disclosures in mid-June.
3. Most-Targeted Vendors
| Vendor | Exploited CVEs in Q2 |
|---|---|
| Microsoft | 15 |
| Cisco | 7 |
| SimpleHelp | 3 |
| Ubiquiti | 3 |
| Ivanti | 3 |
| Adobe | 3 |
| LiteSpeed | 2 |
| Oracle | 2 |
| 2 | |
| BerriAI | 2 |
Microsoft’s dominance at the top of the exploited CVE list is consistent with previous quarters and reflects the scale of its deployment footprint rather than any single product failure. Cisco’s 7 exploited CVEs in Q2 represent a notable concentration for a single quarter, with the Cisco Catalyst SD-WAN (CVE-2026-20182, CVSS 10.0, EPSS 88.5%) being the most severe entry.
The appearance of SimpleHelp, Ubiquiti, and BerriAI is worth highlighting. These are not tier-one enterprise software vendors. Their presence confirms a broadening attack surface: threat actors are actively seeking exploitable paths through remote support tools, network infrastructure, and AI API proxies — product categories that are often subject to less rigorous patch discipline than core enterprise platforms.
4. Top 10 Exploited CVEs by EPSS
| CVE | Vendor / Product | CVSS | EPSS | Added to KEV |
|---|---|---|---|---|
| CVE-2026-10520 | Ivanti Sentry | 10.0 | 99.0% | Jun 11, 2026 |
| CVE-2008-4250 | Microsoft Windows | 9.8 | 98.8% | May 20, 2026 |
| CVE-2026-34197 | Apache ActiveMQ | 8.8 | 96.7% | Apr 16, 2026 |
| CVE-2026-31431 | Linux Kernel | 7.8 | 96.3% | May 1, 2026 |
| CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools | 9.8 | 92.3% | Jun 12, 2026 |
| CVE-2010-0249 | Microsoft Internet Explorer | 8.8 | 91.9% | May 20, 2026 |
| CVE-2024-27199 | JetBrains TeamCity | 7.3 | 90.9% | Apr 20, 2026 |
| CVE-2026-41940 | WebPros cPanel & WHM / WP2 | 9.8 | 90.8% | Apr 30, 2026 |
| CVE-2026-20182 | Cisco Catalyst SD-WAN | 10.0 | 88.5% | May 14, 2026 |
| CVE-2026-20253 | Splunk Enterprise | 9.8 | 88.2% | Jun 18, 2026 |
Two entries in this table deserve special attention.
CVE-2008-4250 is an 18-year-old vulnerability in Microsoft Windows (MS08-067) that entered KEV in May 2026 with a 98.8% EPSS score. Its presence confirms that legacy systems running unpatched Windows Server 2003 and Windows XP remain active targets — and that attackers continue to weaponize decade-old exploits against environments that have never been modernized.
CVE-2010-0249, the Internet Explorer “Aurora” vulnerability exploited in Operation Aurora, similarly entered KEV at 91.9% EPSS in May 2026. Both entries together account for a significant portion of the average gap inflation seen in Section 5.
CVE-2026-10520 (Ivanti Sentry, CVSS 10.0, EPSS 99.0%) is the most urgent entry for organizations currently running Ivanti infrastructure. With a perfect severity score and near-certain exploitation probability, it should be treated as an immediate emergency patch regardless of compensating controls.
5. Top Weakness Types (CWE)
| CWE | Description | Count |
|---|---|---|
| CWE-20 | Improper Input Validation | 5 |
| CWE-287 | Improper Authentication | 5 |
| CWE-22 | Path Traversal | 5 |
| CWE-94 | Code Injection | 4 |
| CWE-306 | Missing Authentication for Critical Function | 4 |
| CWE-416 | Use After Free | 3 |
| CWE-89 | SQL Injection | 3 |
| CWE-284 | Improper Access Control | 3 |
| CWE-59 | Improper Link Resolution (Symlink) | 3 |
| CWE-506 | Embedded Malicious Code | 3 |
Three weakness categories tied at the top with 5 entries each: improper input validation (CWE-20), improper authentication (CWE-287), and path traversal (CWE-22). Together with CWE-306 (missing authentication), authentication and access control failures account for 14 of the top 30 CWE-mapped entries — a consistent pattern that reinforces the value of multi-factor authentication, zero-trust network segmentation, and rigorous API authentication enforcement.
The presence of CWE-506 (Embedded Malicious Code) with 3 entries is unusual and warrants attention. This category typically indicates supply chain compromise or trojanized components rather than a conventional implementation flaw. Its appearance in the top 10 suggests threat actors are investing in upstream compromise as an exploitation vector at a meaningful scale.
6. Publication → KEV Gap
| Metric | Value |
|---|---|
| CVEs with parseable publish date | 51 / 75 (68%) |
| Average gap | 1,072 days |
| Median gap | 68 days |
| Exploited within 7 days of publication | 11 (22%) |
The average gap of 1,072 days is almost entirely explained by the two legacy CVEs from 2008 and 2010 discussed in Section 4. Removing those two entries would bring the average substantially closer to the median.
The operationally relevant figure is the median: 68 days. Half of all exploited CVEs this quarter were weaponized within two months of publication. For organizations on a quarterly patch cycle, this means approximately half of the CVEs that entered KEV in Q2 were already being exploited before the next scheduled patch window opened.
Most urgently: 22% of Q2’s exploited CVEs — 11 out of 51 — were weaponized within 7 days of their CVE publication date. This is the window that represents a genuine zero-day-equivalent risk for most organizations. Vendors cannot be expected to ship patches faster than disclosure; organizations need compensating controls (WAF rules, network segmentation, detection signatures) active within hours of a high-severity publication, not weeks.
Methodology
This report covers all CVEs added to the CISA Known Exploited Vulnerabilities catalog between April 1 and June 30, 2026. CVSS and EPSS data are sourced from the Daily CyberSecurity CVE Watchtower database, enriched where necessary from the official CVE record via cveawg.mitre.org. Vendor attribution uses the vendorProject field in the CISA KEV feed directly. CWE classification is extracted from CVE raw data. Publication-to-KEV gap calculations use the CVE publication date from the NVD record; 24 of 75 CVEs (32%) lacked a parseable publication date and are excluded from gap statistics. All figures were generated on July 11, 2026.
Download and Citation
This report is published under a free-to-reference license. When citing figures, please attribute Daily CyberSecurity and link to this page. For the underlying data, see our CVE Watchtower and Top Exploited CVEs tracker.
Next report: State of Exploited Vulnerabilities — Q3 2026, scheduled for October 2026.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.