CISA Adds Six Exploited Vulnerabilities to KEV Catalog
CISA Adds 6 Known Exploited Vulnerabilities to KEV Catalog On April 14, 2026 , the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) added six security vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog , citing evidence of active exploitation in the wild . These flaws impact Fortinet, Microsoft, and Adobe products commonly used across enterprise and government environments. Federal Civilian Executive Branch ( FCEB ) agencies are required to remediate all six flaws by April 27, 2026 , under Binding Operational Directive (BOD) 22‑01. CISA strongly urges private‑sector organizations to do the same. Vulnerabilities Added (April 14, 2026) CVE‑2026‑21643 – Fortinet FortiClient EMS SQL Injection (CVSS 9.1) Allows unauthenticated remote code execution via crafted HTTP requests. ▶ Exploitation observed since March 24, 2026 . CVE‑2020‑9715 – Adobe Acrobat Reader Use‑after‑free (CVSS 7.8) Enables remote code execution when malicious PDF files ...