CVEs & CISA KEV — Patching the Vulnerabilities That Matter

Updated May 2026 · Vulnerabilities · 7 min read

Table of Contents

CVE vs KEV vs CVSS
Why GuardHound flags CVEs against your domain
How to remediate
How to prioritize when you have many CVEs

A CVE is a publicly catalogued software vulnerability. A KEV is one that CISA has confirmed is being actively exploited in the wild. Patching KEV entries is the single highest-leverage thing you can do for your domain’s security posture.

CVE vs KEV vs CVSS

CVE (Common Vulnerabilities and Exposures): a unique ID for a publicly disclosed vulnerability. Maintained by MITRE.
CVSS: a 0–10 severity score for each CVE. 9.0+ is critical, 7.0–8.9 is high.
KEV (Known Exploited Vulnerabilities): a CISA-maintained subset of CVEs confirmed to be actively used by attackers. KEV CVEs are the priority — they’re weaponized today, not theoretically.

Why GuardHound flags CVEs against your domain

GuardHound fingerprints the server software exposed by your HTTP headers (e.g. nginx/1.18.0, WordPress/6.2, Apache/2.4.46). It then looks up CVEs that affect those exact versions in the National Vulnerability Database and surfaces any that are critical or in the KEV catalog.

False positives can happen — a header may report a version that’s been backported with the patch but kept the version string. Always verify against the NVD entry before scrambling.

How to remediate

Click each CVE link in the finding to read the NVD entry. Note the affected version range and the recommended fix version.
Upgrade to a fixed minor version. For backported distro packages (Debian, RHEL), check whether the security team has already patched without bumping the visible version.
If you can’t patch immediately, apply the vendor’s documented mitigation — a WAF rule, a config flag, or disabling the vulnerable feature.
Re-scan to confirm the CVE no longer matches. The KEV count should drop to zero.
Subscribe to CISA’s KEV feed so you hear about new entries within hours, not days.

How to prioritize when you have many CVEs

Patch KEV entries first — they’re actively exploited. Then critical CVEs (CVSS 9.0+) on internet-exposed services. Then high CVEs that are remotely exploitable without authentication. Lower-severity or local-only CVEs can wait for the next regular patch window.

Run a free scan to find issues like this on your domain

GuardHound checks SSL, DNS, breaches, CVEs, lookalikes, hosting reputation, and more in under 30 seconds.

Start Free Scan →

Frequently Asked Questions

Why would the same CVE appear on multiple scans?

Either the patch hasn’t actually applied (check the running binary, not the package version), or the version string in your HTTP headers wasn’t updated by the patch. Suppress only after manual verification.

How does GuardHound detect technologies?

Primarily from HTTP response headers (Server:, X-Powered-By:, Set-Cookie patterns), plus a few common probes for popular CMSes. If detection misses, CVE search falls back to your domain name as a keyword — less precise but still useful.

Should I hide my server version header?

Yes, defense in depth. Set ServerTokens Prod (Apache) or server_tokens off (nginx). It doesn’t replace patching but it does reduce automated scanning noise.