CISA's Known Exploited Vulnerabilities (KEV) catalogue, the US register of flaws confirmed under active exploitation, added seven CVEs between 5 and 14 July, none from a headline enterprise-security vendor 1. Six sit in web software: four Joomla extensions, the AI-app builder Langflow, and Adobe ColdFusion, with no Cisco, Fortinet, Microsoft or Ivanti entry among them. The seventh breaks the pattern: CVE-2008-4128, an 18-year-old cross-site request forgery (CSRF) flaw in Cisco IOS, added on Monday 13 July.
The catalogue stood at 1,638 entries on 14 July, up from 1,585 at the end of April, roughly 53 additions in ten weeks 2. April alone added 16 in 13 days. CVE-2008-4128 is the oldest KEV entry this beat has tracked, extending the ancient-revival thread that ran through a 17-year-old Office bug in April .
Two readings fit the slowdown, and a single fortnight cannot separate them. Either confirmed active exploitation genuinely eased over the summer, or BOD 26-04, the risk-tiered directive that replaced patch-everything rules in June , is already reshaping what gets listed and how fast. The fortnight-of-triage note two weeks ago raised the same question. KEV feeds patch prioritisation in tools like Qualys, Tenable and Rapid7, so any editorial shift behind the listings propagates into every enterprise treating the feed as ground truth. Ten weeks is too short to credit a doctrine shift, so this stays a hypothesis to watch.
