CISA KEV catalog adds nomination form

What Happened

On January 6, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) announced enhancements to its Known Exploited Vulnerabilities (KEV) catalog, introducing a new nomination form for submitting vulnerabilities known to be exploited in the wild. The update aims to streamline the reporting process for security researchers, vendors, and federal agencies, allowing them to nominate CVEs that meet CISA’s exploitation criteria directly through a standardized web interface.

Why It Matters

This enhancement addresses a longstanding gap in the vulnerability reporting ecosystem. Previously, nominating vulnerabilities for inclusion in the KEV catalog required informal channels or indirect reporting through the CISA Cybersecurity Alerts system. The new form formalizes the process, potentially accelerating the time between exploitation discovery and public alerting. For security teams, this means faster access to actionable intelligence on actively exploited vulnerabilities, enabling more effective prioritization and patching.

Technical Details

The nomination form is accessible via CISA’s KEV catalog page and requires submitters to provide specific details, including:

• The CVE identifier (if assigned) or a detailed description of the vulnerability
• Affected product, vendor, and version information
• Evidence of active exploitation (e.g., public reports, proof-of-concept code, or observed attacks)
• Impact assessment (e.g., remote code execution, privilege escalation)

CISA will review nominations based on its established criteria: the vulnerability must be known to be actively exploited, have a clear and actionable remediation (e.g., a patch or configuration change), and be relevant to federal enterprise operations. The form includes fields for submitting supporting evidence, such as links to threat intelligence reports or CVE pages.

Immediate Risk

The immediate risk is not from CISA’s update itself but from the gaps it addresses. The KEV catalog currently lists over 1,000 vulnerabilities, many of which were exploited for months or years before being added. By formalizing the nomination process, CISA aims to reduce this lag. Security teams should continue monitoring the KEV catalog weekly, but can now also use the nomination form to report exploitations they observe, contributing to shared situational awareness. The risk of unidentified exploited vulnerabilities in enterprise environments remains high, and this update is a positive step toward improvement.

Security Insight

This update reflects a broader trend of CISA shifting from reactive alerting to proactive intelligence sharing, comparable to how the MITRE ATT&CK framework evolved from a passive reference to a living repository of adversary behavior. The key takeaway here is that the nomination form lowers the barrier for reporting, but it also places a burden on reporters to provide high-quality evidence. Security teams should expect an uptick in KEV catalog updates as submissions increase, potentially leading to more frequent but less noisy additions. Organizations should integrate KEV catalog feeds into their vulnerability management workflows now, before the volume accelerates, to avoid alert fatigue.

Further Reading

• Latest Security News
• CVE Advisories
• Data Breach Reports