<5 days
median time from public PoC publication to first observed in-the-wild exploitation (IBM X-Force, 2024)
$4.88M
average cost of a data breach in 2024, up 10% from the prior year (IBM Cost of a Data Breach Report 2024)
60%
of KEV entries had a public PoC available before the vendor issued a patch -- defenders routinely face weaponized code before a fix exists
32 days
average time-to-patch for critical CVEs across enterprise organizations (Tenable Research, 2024)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Vulnerability management has always been a race against time, but the finish line moved. In 2024 the IBM X-Force Threat Intelligence Index documented that the median time-to-exploit after a public proof-of-concept dropped to fewer than five days. A CVSS score alone no longer provides enough signal. A 7.5 CVSS with a public PoC on GitHub and an exposed internet-facing asset is a five-alarm event. A 9.8 with no public PoC and no KEV entry can sometimes wait a standard patch cycle. This tracker aggregates the PoC availability signal in one monthly-updated reference.

Why a PoC Tracker Changes Everything

Vulnerability management has always been a race against time, but the finish line moved. In 2024 the IBM X-Force Threat Intelligence Index documented that the median time-to-exploit after a public proof-of-concept dropped to fewer than five days. That figure has held into 2026. A CVSS score alone no longer gives a team enough signal. A 7.5 CVSS with a public PoC on GitHub and an exposed internet-facing asset is a five-alarm event. A 9.8 with no public PoC and no KEV entry can sometimes wait a standard patch cycle. The presence of working exploit code is the variable that collapses the remediation window. This page exists because that variable is scattered: across GitHub search results, Exploit-DB, Packet Storm, NVD references, and Mastodon threads. We aggregate it into one monthly-updated reference so analysts, vulnerability management teams, and SOC leads can orient quickly and act. Each entry below carries a CVSS v4 score where NIST has published one, a CVSS v3.1 score for backward compatibility with existing SIEM rules, KEV status, PoC availability, observed exploitation status, and patch advisory links.

How to Read This Tracker

Each CVE entry in this tracker follows a consistent format to let you scan fast and act faster. The fields are as follows:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

2025-2026 High-Risk CVE Reference Table

The following CVEs represent the highest-priority entries in our tracker as of July 2026. All have either confirmed active exploitation, a public PoC, or both. Entries are sorted by exploitation status severity, then CVSS v4 score descending.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Using CISA KEV as an Automation Signal

The CISA Known Exploited Vulnerabilities catalog is the closest thing the industry has to a mandatory triage queue. Federal civilian agencies are required to patch KEV entries within prescribed deadlines (typically 14 days for critical, 30 days for high severity). Private sector organizations should treat the KEV flag as an escalation signal that collapses their normal patch SLA. Here is how to operationalize the KEV catalog:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Finding PoC Code: A Sourcing Guide

Knowing whether a public PoC exists changes your patch prioritization immediately. These are the canonical sources threat intel teams should monitor:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Detection Guidance: Sigma and YARA Resources

A PoC tracker is only half the defense equation. Detection engineering is the other half. The following resources give SOC teams a head start on building detection coverage for the CVEs in this tracker:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Patch Prioritization Framework

Not every critical CVE can be patched on day one. A defensible triage framework accounts for four variables simultaneously. Apply this scoring to your asset inventory after each new CVE disclosure:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The Cost of Waiting: Key Benchmarks

These figures ground the urgency behind the tracker's PoC and KEV columns in real financial and operational terms:

Honorable Mentions: On Watch for Weaponization

The following CVEs carry significant risk signals but have not yet crossed into confirmed mass exploitation as of July 2026. Monitor these closely; any of them could shift to the main table within weeks:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How This Tracker Is Maintained

This page is updated in the first week of each month. The update cycle includes reviewing new CISA KEV additions from the prior month, checking NVD for CVSS v4 score updates on existing entries, adding newly disclosed CVEs that meet our inclusion threshold (KEV-listed, or CVSS v4 >= 7.5 with confirmed PoC, or attributed to a named threat actor campaign), and retiring CVEs that are more than 24 months old with no ongoing exploitation activity to a separate archive page. Our inclusion process draws on CISA KEV, the NVD API, VulnCheck, Greynoise, and threat intel reports from Mandiant, Recorded Future, Microsoft MSRC, and independent security researchers. When a CVE is referenced in a Decryption Digest deep-dive analysis, that link appears in the DD Analysis column of the main table.

Quick-Reference Glossary

Terms used throughout this tracker:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The presence of a public proof-of-concept collapses your remediation window from days to hours. The most defensible patch prioritization framework cross-references three signals simultaneously: CISA KEV status (mandatory), CVSS v4 score (severity), and public PoC availability (urgency multiplier). Any CVE that is KEV-listed with a public PoC on an internet-facing asset should be treated as a 48-hour emergency regardless of CVSS score. Automate the KEV feed into your SIEM and asset management tooling -- manual triage at this cadence is not sustainable.

Sources & references

  1. CISA Known Exploited Vulnerabilities Catalog
  2. NVD - National Vulnerability Database
  3. IBM Cost of a Data Breach Report 2024
  4. VulnCheck KEV Database

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.