Potentially missing CISA Known Exploited Vulnerability Reports in cve2stix

We find the KEV data provided in cve2stix as STIX Reports very useful.

We have around 1000 Reports created by cve2stix representing KEV data. e.g.

    "type": "report",
    "spec_version": "2.1",
    "id": "report--65881d05-e408-5036-9824-d605229e4f06",
    "created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
    "created": "2019-12-24T22:15:11.183Z",
    "modified": "2020-01-02T21:05:29.673Z",
    "name": "CISA KEV: MongoDB mongo-express Remote Code Execution Vulnerability",
    "description": "Apply updates per vendor instructions. Action due by: 2022-06-10",
    "report_types": [
    "published": "2019-12-24T22:15:11.183Z",
    "object_refs": [
    "external_references": [
            "source_name": "cve",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10758",
            "external_id": "CVE-2019-10758"
    "object_marking_refs": [

This number sounds very low, and I therefore suspect we are missing entries.

I don’t want to raise an issue on Github just yet, as I’m not sure I’m correct. How can I (in)validate my hunch?

OK so a longwinded answer, but stay with me, I think it’s important to talk about what the KEV program is all about…

CISA’s methodology for generating data is described here:


CISA’s definition of actively exploited;

A vulnerability under active exploitation is one for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner.

Now it’s unrealistic to assume CISA is monitoring all exploited vulnerabilities, and that’s not what the point of KEV is.

It is more focused on the most critical vulnerabilities being exploited so that organisations can priorities remediation/patches effectively;

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.

Of course it’s far from perfect:

So to answer your question…

How can I (in)validate this?

Go to:


And download the CSV data.

You’ll see it currently returns around 1100 results, which I would say is suspiciously close to the amount you have in the STIX objects you’ve created using cve2stix. Can you share the exact number of reports directories you see in the reports/ folder?

1 Like

Thanks @dgreenwood-dogesec – that is very helpful. I retract my comment – there is not issue with cve2stix