CVE-2026-30302 in Cisa Product: Critical Vulnerability with Low Current Exploitation Probability

📅 March 29, 2026 🔴 Exploit Risk: 0.402 📊 Intelligence Score: 61/100 📰 22 sources synthesized

TL;DR — Read this first

A critical vulnerability, CVE-2026-30302, with a CVSS score of 10.0 has been disclosed in a Cisa product. Specific product and version details are not yet available.
CONFIRMED: The vulnerability is not listed on CISA's KEV catalog. The EPSS score is 0.00415 (0.415%), indicating a very low probability of exploitation in the next 30 days.
Immediate action: Monitor for changes in exploitation signals (e.g., EPSS score increase, KEV addition, public PoC). Prioritize patching for actively exploited vulnerabilities over this one.

Intelligence Metadata

First Reported Bynvd.nist.gov

Outbreak Velocity1319 minutes spread to 2 unique domains

Consensus22 articles across 2 unique domains

CVSS Score10.0

EPSS Score0.00415 (0.415%)

CISA KEV StatusNot Listed

Exploit Risk Score0.4017

Race LabelLOW PROBABILITY EXPLOIT

Technical Analysis

Technical details regarding the vulnerability class, attack vector, and preconditions for CVE-2026-30302 are not available in the provided intelligence sources. The vulnerability was first recorded by the National Vulnerability Database (NVD). The perfect 10.0 CVSS score suggests a network-exploitable vulnerability that requires no user interaction and no privileges, resulting in a complete compromise of confidentiality, integrity, and availability. However, without technical analysis from security researchers or a vendor advisory, the practical exploitability remains theoretical.

Affected Systems

Vendor: Cisa

Affected Versions:

Not available

Exposure: Not available

Blast Radius: Not available

Intelligence Context

CVE-2026-30302 presents a significant conflict between its theoretical severity and its current real-world threat. The CVSS score of 10.0 places it in the highest severity category, demanding immediate attention. Conversely, its low EPSS score (0.415%) and absence from the CISA KEV catalog indicate that exploitation is not currently observed or anticipated by predictive models. This is a common scenario for newly disclosed vulnerabilities without a public proof-of-concept exploit or observed threat actor interest. For defenders, this translates to a 'monitor and wait' posture. The vulnerability should be tracked, but remediation efforts should be prioritized for other vulnerabilities with higher EPSS scores or a confirmed KEV status.

Remediation & Defense

Monitor for vendor patches and changes in threat intelligence. De-prioritize immediate patching in favor of vulnerabilities confirmed to be actively exploited (KEV list) or those with a higher EPSS score.

Patch Status: Not available

Patch Version: Not available

Workarounds:

Not available

Detection Hints:

Not available

Source Timeline

nvd.nist.gov — First reporter

CVE-2026-30302 cisa vulnerability cvss-10.0 low-epss