// #patch-prioritisation

2 articles

CISA's April 20 Known Exploited Vulnerabilities addition is the largest single-day batch this month, confirming active exploitation across enterprise print management, CI/CD pipelines, content management, and Cisco SD-WAN infrastructure. The batch spans CVE publication years from 2023 to 2026, demonstrating that unpatched legacy vulnerabilities continue to be weaponised alongside newly disclosed flaws. Federal agencies face a BOD 22-01 remediation deadline, and private sector organisations should treat these as immediate prioritisation signals.

Apr 21, 2026 #cisa-kev +8

🔬 Assessment

NIST Ends Full NVD Enrichment — What It Means for Your Vulnerability Management Programme

NIST has announced it will no longer enrich every CVE record in the National Vulnerability Database, shifting to a risk-based model that prioritises only the most critical submissions. With CVE volumes up 263% since 2020 and the NVD backlog now officially unresolvable, security teams that rely on NVD CVSS scores and CPE data for vulnerability prioritisation must urgently adapt their tooling and workflows.

Apr 17, 2026 #nvd +5

Commentary tagged #patch-prioritisation

Opinion

When Everything Is Critical, Nothing Is: The CVSS Severity Inflation Problem

Q2 2026 has produced more CVSS 9.0+ vulnerabilities than most organisations can effectively respond to simultaneously. Part of the problem is the vulnerability itself. Part of the problem is that the CVSS scoring system has drifted toward higher scores over time, reducing the signal value of 'critical' as a triage category.

CipherWatch Editorial

Security Intelligence Platform

May 31, 2026

CISA Adds Eight CVEs to KEV: PaperCut, JetBrains TeamCity, and Cisco SD-WAN Actively Exploited

NIST Ends Full NVD Enrichment — What It Means for Your Vulnerability Management Programme

Commentary tagged #patch-prioritisation

When Everything Is Critical, Nothing Is: The CVSS Severity Inflation Problem