Between April 13 and April 30, 2026, CISA added multiple known exploited vulnerabilities to its KEV Catalog based on confirmed evidence of active exploitation. According to CISA's official alerts, the agency issued advisories on April 13 (seven vulnerabilities), April 14 (two), April 16 (one), April 22 (one), April 23 (one), April 28 (two), and April 30 (one). The Hacker News reported that this batch included flaws in Fortinet, Microsoft, and Adobe software, with federal civilian executive branch (FCEB) agencies facing a patching deadline of April 27, 2026.
CVE-2026-41940, targeting WebPros cPanel & WHM and WP2 (WordPress Squared), was among the documented exploited vulnerabilities, indicating that hosting infrastructure and WordPress deployments face active targeting.
What matters: When CISA adds a vulnerability to the KEV Catalog, it means attackers are already weaponizing it in the wild. The volume and pace matter. Fourteen additions in a single month suggests not isolated incidents but a coordinated exploitation window. For infrastructure operators—hosting providers, municipal systems, small businesses reliant on WordPress or Fortinet—this represents a tactical deadline: attackers are moving fast, and unpatched instances become targets at scale.
The April 27 FCEB deadline is binding for federal agencies but non-binding for private sector and critical infrastructure. That creates a two-tier response: federal systems will patch; others may lag. History suggests attackers will exploit that gap.
What to watch next: Monitor CISA's KEV Catalog velocity through May. If the rate sustains above 10 additions per month, it signals either a coordinated campaign or the emergence of a new exploitation toolkit circulating among threat actors. Watch also for post-patching incident reports—they'll indicate whether organizations met the deadline or if breaches occurred during the window.
