What April 2026 KEV Additions Mean for Patch Triage
CISA's live KEV feed is moving fast again. Here's how to turn the latest exploited-vulnerability signal into a practical patch queue.
The KEV feed is the patch queue, not background noise
CISA's Known Exploited Vulnerabilities catalog moved again in mid-April 2026, with the live feed showing catalog version 2026.04.16 and 1,569 entries. That number matters less than the operational signal: defenders are still seeing active exploitation across old desktop software, collaboration servers, security tools, edge infrastructure, and developer-facing platforms.
For security teams, this is not a reason to panic. It is a reason to make KEV-driven triage boring, fast, and repeatable.
Treat April additions as an exposure review
The recent additions include Apache ActiveMQ, Microsoft SharePoint Server, Microsoft Office, Adobe Acrobat, Fortinet FortiClient EMS, Microsoft Exchange Server, Ivanti EPMM, Google Dawn, Citrix NetScaler, F5 BIG-IP, Aqua Security Trivy, and Langflow. That spread is the story. The risk is not limited to one vendor or one class of system.
The first question should be inventory: do we run it, is it reachable, who owns it, and how fast can we patch or isolate it?
Build a two-track response
Use two tracks instead of one giant patch list:
- Internet-facing and remotely managed systems: review exposure immediately, confirm vendor guidance, check logs, and patch or isolate first.
- User-facing document and desktop software: verify update status, reduce risky file handling paths, and reinforce attachment handling controls.
This split helps teams act without flattening every vulnerability into the same urgency bucket.
Do not ignore old CVEs
The April list includes older issues, including a Microsoft Office flaw from 2009 and a VBA library loading issue from 2012. Old does not mean irrelevant. Legacy software, forgotten file associations, archived installers, and unmanaged endpoints can keep old attack paths alive.
The lesson is simple: patch age is not the same as risk age. If a vulnerability is in KEV, exploitation evidence brought it back into the operational queue.
Source note
This brief is based on the CISA Known Exploited Vulnerabilities feed, catalog version 2026.04.16, and vendor links referenced inside that feed.
Keep Reading
All Posts
Claude Code's Source-Map Leak Is a Release Pipeline Lesson
The interesting part is not gossip about leaked code. It is how one packaged artifact can expose architecture, roadmap clues, and operational hygiene gaps.
AI Review Bots Turn PR Text Into a Control Plane
Prompt injection in GitHub Actions is not theoretical anymore. PR titles, comments, and issue text can become instructions for agents with repository secrets.
Fake Claude Code Leaks Are Becoming Developer Malware Bait
When a famous tool leaks, curiosity becomes the lure. The defensive play is boring provenance, clean downloads, and treating unofficial mirrors as hostile.