The Catalog That Separates Theory From Practice
CISA's Known Exploited Vulnerabilities catalog is the federal government's definitive record of confirmed exploitation. A vulnerability enters the KEV catalog only after evidence confirms it has been used by threat actors in real-world operations. It is not a risk prediction. It is a historical record of weaponization. Among the 22 web frameworks WebPulse tracks, 12 carry zero KEV entries.
The twelve: Angular, Astro, Django, Eleventy, FastAPI, Flask, Gatsby, HTMX, Hugo, Next.js, Nuxt.js, and Vue. These frameworks span different languages, architectures, and use cases. What they share is a single data point — no vulnerability in their codebases has been actively exploited at a scale that triggered CISA catalog inclusion.
What Zero KEV Means — and Does Not Mean
Zero KEV entries do not mean zero vulnerabilities. Django carries CVEs. Angular carries CVEs. Flask carries CVEs. The distinction is between vulnerabilities that exist in theory and vulnerabilities that have been weaponized in practice. A CVE is a disclosure. A KEV entry is a confirmed incident. The gap between the two is the gap between potential and demonstrated attack surface.
Nor does zero KEV mean permanent immunity. The catalog is updated continuously. A framework with zero KEV entries today could receive one tomorrow. But as a historical indicator of exploitation patterns, the current state of the catalog is the most concrete signal available.
The Other Side of the Ledger
Eight frameworks tracked by WebPulse carry confirmed KEV entries. The distribution is not uniform. WordPress and Drupal carry the most, consistent with their massive installed bases and plugin ecosystems. Spring's 5 KEV entries are notable given its relatively small total CVE count of 46 — roughly 1 in 9 Spring vulnerabilities has been actively exploited. React's 2 KEV entries reflect specific supply-chain and prototype pollution vectors rather than the framework's core architecture.
The Scale of the Catalog
The full KEV catalog contains 1,623 entries across all software categories. Of those, 100 carry EPSS scores above 50%, indicating continued high probability of exploitation. Web frameworks represent a subset of the catalog, but a consequential one — web applications are the primary attack surface for most organizations, and framework-level vulnerabilities affect every application built on them.
The Selection Signal
For organizations evaluating framework choices, the KEV catalog provides a dimension that CVE counts and severity ratings do not. It answers a specific question: has this framework's security profile resulted in confirmed exploitation? Twelve frameworks answer no. That answer is not a guarantee. It is a data point — and in security decision-making, data points grounded in confirmed incidents carry more weight than theoretical risk assessments.
