CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
Summary
CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Among these is CVE-2023-27351, an improper authentication vulnerability in PaperCut, which has a CVSS score of 8.2. The agency has also set federal deadlines of April and May 2026 for agencies to remediate these identified flaws.
IFF Assessment
This is bad news for defenders as it indicates that new vulnerabilities are being actively exploited in the wild and require immediate attention and remediation efforts.
Severity
The CVSS score of 8.2 indicates a High severity vulnerability, primarily due to the ease of exploitation and the potential for significant impact through improper authentication.
CISA KEV: Listed as actively exploited. Federal patch due: May 04, 2026. Known ransomware use: Unknown.
Defender Context
Defenders need to prioritize patching or mitigating these newly added KEV vulnerabilities, especially CVE-2023-27351 impacting PaperCut, as they are confirmed to be actively exploited. This highlights the ongoing threat landscape where attackers are quickly leveraging newly discovered weaknesses, necessitating robust vulnerability management programs.