CVE-2026-9082 in Unspecified Product: Actively Exploited and Added to CISA KEV Catalog

📅 May 23, 2026 🔴 Exploit Risk: 0.580 📊 Intelligence Score: 64/100 📰 2 sources synthesized

TL;DR — Read this first

CVE-2026-9082 is a critical vulnerability (CVSS 9.5) in an unspecified product that is under active exploitation.
CONFIRMED: CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 22, 2026, mandating remediation for federal agencies.
Immediate action is required. Prioritize patching or applying mitigations due to confirmed in-the-wild exploitation, despite a low EPSS score.

Intelligence Metadata

First Reported Bythehackernews.com

Outbreak Velocity739 minutes spread to 2 unique domains

Consensus2 sources across 2 unique domains

CVSS Score9.5

EPSS Score0.00017 (0.017th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.5801

Race LabelZERO-DAY RACE

Technical Analysis

CONFIRMED reports from CISA indicate that CVE-2026-9082 is being actively exploited in the wild. This vulnerability carries a critical CVSS score of 9.5, suggesting a high potential impact on confidentiality, integrity, and availability. However, the provided intelligence sources lack specific technical details regarding the vulnerability class (e.g., RCE, SQLi, auth-bypass), the attack vector, or the preconditions required for successful exploitation. The product and vendor associated with this CVE are not explicitly identified in the source material.

The most significant intelligence signal is the vulnerability's inclusion in the CISA KEV catalog. This contrasts sharply with its very low EPSS score of 0.00017, which predicts a low probability of widespread exploitation. This discrepancy suggests that current exploitation may be highly targeted, conducted by a capable threat actor, or requires a specific, non-default configuration that the EPSS model does not heavily weigh. Defenders should prioritize the confirmed threat over the probabilistic forecast.

Affected Systems

Vendor: Not specified in source material

Affected Versions:

Not specified in source material

Exposure: Not available

Blast Radius: Not available

Intelligence Context

The primary driver for action on CVE-2026-9082 is its CONFIRMED status on the CISA KEV catalog. This is a deterministic signal of active, in-the-wild exploitation, which overrides most other probabilistic metrics. The 'ZERO-DAY RACE' label indicates this is a fresh and ongoing threat. While the EPSS score is exceptionally low, suggesting limited widespread activity, the KEV listing confirms a real-world risk that must be addressed. For U.S. Federal Civilian Executive Branch (FCEB) agencies, remediation is mandatory under Binding Operational Directive (BOD) 22-01. For all other organizations, the KEV status serves as a high-confidence indicator to prioritize this vulnerability for immediate remediation.

Remediation & Defense

Patch immediately. Due to confirmed exploitation (CISA KEV), this vulnerability must be treated as a top priority. If a patch is not yet available, organizations should actively monitor for vendor advisories, investigate potentially exposed assets for signs of compromise, and prepare to apply mitigations as soon as they are published.

Patch Status: Not available

Patch Version: Not available

Workarounds:

Not available

Detection Hints:

Not available

Source Timeline

thehackernews.com — First reporter
cisa.gov — Official confirmation of exploitation

CVE-2026-9082 CISA KEV vulnerability actively-exploited