CISA Opened Its Known Exploited Vulnerabilities Catalog to Outside Researchers on May 21 With a Structured Nomination Form—The Agency That Previously Took Submissions by Email at vulnerability@cisa.dhs.gov Now Wants the Data Fields Filled In Before It Triages the Report

Key Takeaways

• CISA announced the new KEV Nomination Form on May 21, 2026, opening a structured intake channel for researchers, vendors, and industry partners to report evidence of in the wild vulnerability exploitation.
• The form replaces a plain email submission pathway (vulnerability@cisa.dhs.gov) that the agency had used since the KEV catalog launched in November 2021. Email remains accepted but is now considered the fallback path.
• The new form is integrated with CISA's Vulnerability Disclosure Policy Platform and the Coordinated Vulnerability Disclosure Program, both of which extend legal protections to security researchers acting in good faith.
• Inclusion in the KEV catalog triggers Binding Operational Directive 22-01, which requires federal civilian agencies to patch the listed vulnerability within a CISA defined window (typically two to three weeks) or remove the affected system from service.
• The change matters because the KEV catalog has become the de facto reference patch list for the rest of the federal government, state and local agencies, and many regulated industries—getting a confirmed exploit added to the catalog moves real patching capacity.

What Is the KEV Catalog?

The Known Exploited Vulnerabilities catalog is CISA's authoritative list of vulnerabilities that have been confirmed exploited in the wild against US targets or against the broader public ecosystem. CISA launched it in November 2021 alongside Binding Operational Directive 22-01, which gave the agency the authority to require federal civilian executive branch agencies to remediate KEV listed bugs within set deadlines.

The KEV catalog grew from a few dozen entries to over 1,400 by May 2026. Each entry carries the CVE ID, a short description, the date added, the federal patching deadline, the affected vendor and product, and a required action—usually "apply mitigations per vendor instructions" or "follow vendor's published guidance". Most regulated US sectors and a large fraction of state and local governments now use KEV as a forcing function for their own vulnerability management work, even though BOD 22-01 only legally binds federal civilian agencies.

CISA has historically populated KEV by drawing from internal intelligence, public security research, vendor advisories, and a smaller stream of inbound reports sent to vulnerability@cisa.dhs.gov. The email pathway worked, but it relied on whoever was triaging the inbox to ask follow up questions, normalize the data, and decide whether the report met the in the wild exploitation threshold. The new form moves that normalization upstream.

What Does the Nomination Form Require?

The form, published at cisa.gov, is structured around the data CISA needs to validate a KEV nomination and decide whether to add it. Submitters provide:

• The CVE ID (or, if no CVE exists yet, vendor and product identifying details).
• Evidence of in the wild exploitation. CISA's standard is that the exploit must be observed in real attacks, not merely demonstrated as a proof of concept against a lab system.
• The source of the evidence. Researcher firsthand observation, incident response engagement, threat intelligence vendor reporting, and customer reports are all accepted with appropriate sourcing.
• Affected products and versions, in the precise form CISA uses to write the catalog entry.
• Recommended mitigations or vendor guidance to publish alongside the entry.
• Submitter contact information for follow up questions. Anonymous nominations are accepted but the form encourages providing a contact channel for verification.

The form lives alongside CISA's existing Vulnerability Disclosure Policy Platform, which provides a hosted intake point for federal agencies' own VDP programs, and the Coordinated Vulnerability Disclosure Program, which is CISA's general framework for handling disclosure between researchers, vendors, and downstream defenders. Good faith research within those programs receives the legal safe harbor that comes with CISA's published VDP standards.

Why Does This Matter for Patch Cadence?

A KEV listing is the single most reliable forcing function in the public sector vulnerability management pipeline. When CISA adds a CVE to the catalog, federal civilian agencies move resources to patch it. Two to three weeks later, the patch is largely deployed across the executive branch. The reporting that powers the next quarter's Federal Information Security Modernization Act metric depends on it. Agencies that miss the deadline have to file mitigation plans or take the system offline.

For everyone else—state and local agencies, regulated industry, large enterprises with their own VM programs—the KEV listing is the strongest justification a security team can offer to leadership for an emergency patch cycle. "CISA added it" carries more weight in most boards than CVSS scores, vendor blog posts, or threat intelligence vendor alerts. A faster path from researcher discovery to KEV listing therefore moves real patching capacity across the entire defended ecosystem.

The change is incremental, not revolutionary. CISA already added 7 vulnerabilities to KEV on May 20, the day before the form launched, and an additional one on May 14. The cadence is roughly two to four entries per week across 2026. The new form will likely shift the proportion of entries that come from outside researchers upward and reduce the average time between detection and inclusion.

What Counts as Evidence of In the Wild Exploitation?

CISA's standard, repeated in agency briefings and in the form's documentation, is that "in the wild" means the exploit has been used against a real victim. A proof of concept exploit, a Metasploit module, or a published technical writeup is necessary background but not by itself sufficient. CISA wants observational evidence: log entries from a compromised system, incident response engagement notes, telemetry from an EDR vendor showing payload delivery, or a published vendor advisory that explicitly states active exploitation.

The evidence standard exists to prevent the catalog from being inflated with PoC-only bugs, which would erode the binding force of BOD 22-01. The flip side is that researchers who find a serious unpatched bug but cannot yet point to live abuse are pushed toward the Coordinated Vulnerability Disclosure track and away from KEV. Most published exploitation research follows roughly that funnel today—publication, vendor advisory, then KEV after telemetry confirms attacks.

What Does This Mean for Email Security Programs?

Email infrastructure—Exchange, Postfix, Sendmail, Zimbra, Proofpoint, Mimecast, and the surrounding mail handling stack—has produced more KEV entries than almost any other product category since 2021. The most recent additions include Microsoft's Exchange Server CVE-2026-42897 OWA XSS zero day and the Zimbra cross site scripting bug from late April that CISA gave agencies three days to patch.

For email administrators inside federal agencies and the regulated downstream sectors that mirror CISA timelines, the new nomination form means the gap between researcher discovery of a live exploited email bug and a binding patch deadline gets shorter. For email security teams in the private sector, KEV remains the highest signal queue to track. Subscribing to the catalog's RSS feed and pre staging the patch process for any email infrastructure listing is the most cost effective way to keep your mail flow in operating condition through the next exploitation cycle.

The form itself is a small change. The structural change behind it—CISA making the KEV ingest pipeline transparent to outside researchers and shorter to operate—is the kind of public sector security improvement that compounds quietly. Email defenders will notice it through faster turnaround on the next email server CVE that hits in the wild before patches exist.