{% if not fragment_mode %}
{% include "_standalone_shell.html" %} {% include "_design_system.html" %} {% endif %}This report alerts you when exploits for vulnerabilities in your portfolio advance in maturity — newly added to CISA KEV, becoming weaponized, or gaining ransomware/threat-actor attribution. Use it to:
Under EU CRA Article 14, manufacturers must notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability in a product with digital elements. The 🔥 SLA-Breach Risk section flags findings where that clock applies.
KEV Source column shows which platform signal triggered: CISA means the platform marked the CVE as CISA-listed, VcKEV means FS's verified-compromise signal (exploitation observed in the wild beyond what CISA tracks), CISA+VcKEV means both. The 24-hour CRA notification clock anchors on the later of CISA's dateAdded (when the CISA catalog join succeeds for this row) and the platform's detected_date (when FS first observed this finding). If Notification Deadline is empty, neither timestamp was available — the row is flagged Unknown Clock and the 24-hour clock cannot be computed. Identify which of your products contain the listed components and either confirm a mitigation or file the ENISA notification.",
"newly_above": "Exploit signals for these CVEs advanced in maturity during the report window. They weren't CRA-relevant before, but a new KEV listing / weaponization / ransomware or threat-actor attribution puts them in scope now. Treat as the 'what changed today' list — identify affected products and start the triage.",
"re_emerged": "CVEs you previously marked resolved or not-affected that have gained a new exploit signal. Reverify the mitigation still holds. The previous_resolution column shows how the finding was originally closed.",
"still_in_triage": "Open triage items not yet decided. triage_age_days shows how long each has been pending. The risk: if exploit maturity advances on any of these, they jump to 🆕 or 🔥 and the 24-hour clock starts.",
"full_snapshot": "Complete inventory of CRA-relevant findings in scope. Reference list, not action items — the 🔥/🆕/🔁/⏰ sections above contain the rows that need attention this run."
} %}
{# ── Five morning-queue sections ── #}
{% for section in cra_sections | default([]) %}
{{ _section_callouts[section.key] | safe }}
{% endif %} {% if section.count > 0 %}| {{ col.display }} | {% endfor %}||
|---|---|---|
| {{ cell_val }} | {% elif cell_val is none or cell_val == "None" or cell_val == "nan" or cell_val == "" %}{% else %} | {{ cell_val }} | {% endif %} {% endfor %}
Showing top {{ section.shown }} of {{ section.count }} — see CSV/XLSX for full set.
{% endif %} {% else %}No findings in this section.
{% endif %} {% endfor %} {# ── CISA-vs-CRA footnote ── #}Note on SLA columns: The CRA notification clock
(cra_notification_at + 24h) is independent of CISA's US federal BOD 22-01
remediation deadline (cisa_remediation_due). The two SLAs serve different regulators.