Actively Exploited CVEs and Zero-Days: PoC Tracker 2026

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Vulnerability management has always been a race against time, but the finish line moved. In 2024 the IBM X-Force Threat Intelligence Index documented that the median time-to-exploit after a public proof-of-concept dropped to fewer than five days. A CVSS score alone no longer provides enough signal. A 7.5 CVSS with a public PoC on GitHub and an exposed internet-facing asset is a five-alarm event. A 9.8 with no public PoC and no KEV entry can sometimes wait a standard patch cycle. This tracker aggregates the PoC availability signal in one monthly-updated reference.
Why a PoC Tracker Changes Everything
Vulnerability management has always been a race against time, but the finish line moved. In 2024 the IBM X-Force Threat Intelligence Index documented that the median time-to-exploit after a public proof-of-concept dropped to fewer than five days. That figure has held into 2026. A CVSS score alone no longer gives a team enough signal. A 7.5 CVSS with a public PoC on GitHub and an exposed internet-facing asset is a five-alarm event. A 9.8 with no public PoC and no KEV entry can sometimes wait a standard patch cycle. The presence of working exploit code is the variable that collapses the remediation window. This page exists because that variable is scattered: across GitHub search results, Exploit-DB, Packet Storm, NVD references, and Mastodon threads. We aggregate it into one monthly-updated reference so analysts, vulnerability management teams, and SOC leads can orient quickly and act. Each entry below carries a CVSS v4 score where NIST has published one, a CVSS v3.1 score for backward compatibility with existing SIEM rules, KEV status, PoC availability, observed exploitation status, and patch advisory links.
How to Read This Tracker
Each CVE entry in this tracker follows a consistent format to let you scan fast and act faster. The fields are as follows:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
2025-2026 High-Risk CVE Reference Table
The following CVEs represent the highest-priority entries in our tracker as of July 2026. All have either confirmed active exploitation, a public PoC, or both. Entries are sorted by exploitation status severity, then CVSS v4 score descending.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Using CISA KEV as an Automation Signal
The CISA Known Exploited Vulnerabilities catalog is the closest thing the industry has to a mandatory triage queue. Federal civilian agencies are required to patch KEV entries within prescribed deadlines (typically 14 days for critical, 30 days for high severity). Private sector organizations should treat the KEV flag as an escalation signal that collapses their normal patch SLA. Here is how to operationalize the KEV catalog:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Finding PoC Code: A Sourcing Guide
Knowing whether a public PoC exists changes your patch prioritization immediately. These are the canonical sources threat intel teams should monitor:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Detection Guidance: Sigma and YARA Resources
A PoC tracker is only half the defense equation. Detection engineering is the other half. The following resources give SOC teams a head start on building detection coverage for the CVEs in this tracker:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Patch Prioritization Framework
Not every critical CVE can be patched on day one. A defensible triage framework accounts for four variables simultaneously. Apply this scoring to your asset inventory after each new CVE disclosure:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The Cost of Waiting: Key Benchmarks
These figures ground the urgency behind the tracker's PoC and KEV columns in real financial and operational terms:
Honorable Mentions: On Watch for Weaponization
The following CVEs carry significant risk signals but have not yet crossed into confirmed mass exploitation as of July 2026. Monitor these closely; any of them could shift to the main table within weeks:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How This Tracker Is Maintained
This page is updated in the first week of each month. The update cycle includes reviewing new CISA KEV additions from the prior month, checking NVD for CVSS v4 score updates on existing entries, adding newly disclosed CVEs that meet our inclusion threshold (KEV-listed, or CVSS v4 >= 7.5 with confirmed PoC, or attributed to a named threat actor campaign), and retiring CVEs that are more than 24 months old with no ongoing exploitation activity to a separate archive page. Our inclusion process draws on CISA KEV, the NVD API, VulnCheck, Greynoise, and threat intel reports from Mandiant, Recorded Future, Microsoft MSRC, and independent security researchers. When a CVE is referenced in a Decryption Digest deep-dive analysis, that link appears in the DD Analysis column of the main table.
Quick-Reference Glossary
Terms used throughout this tracker:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
The presence of a public proof-of-concept collapses your remediation window from days to hours. The most defensible patch prioritization framework cross-references three signals simultaneously: CISA KEV status (mandatory), CVSS v4 score (severity), and public PoC availability (urgency multiplier). Any CVE that is KEV-listed with a public PoC on an internet-facing asset should be treated as a 48-hour emergency regardless of CVSS score. Automate the KEV feed into your SIEM and asset management tooling -- manual triage at this cadence is not sustainable.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
