All patch & vulnerability trackers

Which Patch Tuesday updates you can't afford to skip, from 905 Microsoft security updates tracked

A free, no registration required, searchable table of every Microsoft security update and the CVEs it fixes, refreshed daily. Microsoft discloses 1,000 to 2,000 CVEs a year. This tracks every security update and the CVEs it fixes, ordered by EPSS exploit probability with actively-exploited (CISA KEV) bugs first. Putting the MSRC, NVD, CISA KEV and EPSS feeds in live charts, a product-family risk heatmap, and a searchable table, refreshed daily:

Senserva is a Microsoft Intelligent Security Association member · JSON and RSS feeds included, no login required: feeds and API.

Also tracking non-Microsoft software? CISA KEV exploited-vulnerability tracker

  • One ranked view. KB to CVE, ordered by EPSS exploit probability with CISA KEV first.
  • Always current. Auto-updated every Patch Tuesday and out-of-band release.
  • A page per CVE and KB. Cross-linked both ways, each KB with a direct Microsoft Update Catalog download link.
  • Open data. Export to CSV or JSON, or pull the live JSON API.

Patch data refreshed from MSRC + CISA KEV. Last updated .

Microsoft patches and risk, last 12 months
Every Microsoft update released per month, stacked by Severity, with a risk trend line weighted from Microsoft patch data.
Active exploitation across the ecosystem
Every CVE added to the CISA Known Exploited Vulnerabilities catalog, month by month: Microsoft next to every other vendor. Click a month to see the specific CVEs and follow each one to its fix.
12 months
Loading the latest Patch Tuesday risk summary...

A quick reference of recent Microsoft updates that patched vulnerabilities later confirmed as actively exploited in the CISA KEV catalog. Search the full table below for any KB, product, or CVE.

Microsoft update CVE fixed Affects Severity

Browse all Microsoft patches

Search and sort every tracked Microsoft update. The dashboard above is the quick read; this is the full table. Click any KB to open its page.

Product:
From to

Export:APIRSS
This is a public reference catalog. To see which of these patches and CVEs are actually missing across your own Microsoft estate, Senserva reads your Intune and Defender data and ranks the gaps the same way.

Export and API

Take the data with you. The table above has CSV and JSON export buttons for whatever you have filtered, and the full feed is published as a JSON file you can pull on a schedule. Everything is free to use.

JSON API endpoint
https://senserva.com/api/microsoft-patches.json
curl -s https://senserva.com/api/microsoft-patches.json | jq '.patches[0]'
const feed = await fetch('https://senserva.com/api/microsoft-patches.json').then(r => r.json());
// actively-exploited updates, highest EPSS first
const urgent = feed.patches.filter(p => p.kev).sort((a, b) => b.epss - a.epss);
Each patch record has:
kb, date, products[], severity, cvss, kev, ransom, epss, kev_cves[], ransom_cves[], cves[], count.
The feed regenerates with each data refresh, so a daily pull stays current. Per-CVE and per-KB pages are also addressable directly, for example /cve/CVE-2025-53770.html and /kb/5002759.html.

Data sources

Every figure on this page is built from authoritative, public security feeds, refreshed automatically. The same feeds power Senserva's CVE and patch management inside your own tenant.

Every CVE in these Microsoft updates that is listed in the CISA Known Exploited Vulnerabilities catalog is ranked by EPSS exploit probability. Each row in the table above shows the Microsoft KBs that fix it and links to full CVE detail.

Source What it provides
Microsoft Security Update Guide (MSRC) KB-to-CVE mapping, Severity ratings, and affected products.
NVD (NIST) CVSS base scores for each CVE.
CIRCL CVE Search CVE details (CVSS, descriptions) used as a free fallback when an NVD key is not configured.
CISA KEV catalog Known Exploited Vulnerabilities: actively-exploited and ransomware-linked flags.
EPSS (FIRST.org) Exploit Prediction Scoring System: probability a CVE is exploited within 30 days.

What these mean, and why they matter

MSRC (Microsoft Security Update Guide)
Microsoft's authoritative feed mapping each security update (KB) to the CVEs it fixes, with severity ratings and affected products. Value: the system of record for what Microsoft shipped and exactly what each update patches.
CISA KEV (Known Exploited Vulnerabilities)
CISA's catalog of CVEs confirmed exploited in real-world attacks. Value: the single strongest "patch this now" signal. A CVE in KEV is not theoretical, it is being used against organizations today, which is why Senserva ranks KEV items above everything else.
EPSS (Exploit Prediction Scoring System, FIRST.org)
A probability, refreshed daily, that a CVE will be exploited in the next 30 days. Value: prioritizes the long tail of CVEs not yet in KEV by how likely they are to be attacked, not just how severe they are.
CVSS (Common Vulnerability Scoring System)
A 0 to 10 base score of a vulnerability's intrinsic severity. Value: how damaging the flaw is if exploited, independent of whether it is being exploited yet.

Patch and vulnerability tools Senserva complements

Senserva does not deploy patches. It reports and ranks the missing patches and CVEs across your Microsoft 365, Intune, Defender, and Entra ID estate by real-world risk (CISA KEV and EPSS), and works alongside the patch, RMM, and vulnerability tools you already run. See how Senserva compares with, and complements, each:

PatchMyPCSolarWinds Patch ManagerAction1AutomoxIvantiManageEngine Patch Manager PlusHCL BigFixNinjaOneConnectWiseKaseya and DattoN-ableAteraSyncroInforcerTenableQualys

All comparisons and integrations

Related guides

Why this, not just the MSRC Update Guide?

Microsoft's MSRC Update Guide is the authoritative list of what shipped. This adds the prioritization and context it does not.

  • Ranked by CISA KEV first, then EPSS exploit probability, then Severity, with actively-exploited and ransomware flags surfaced.
  • Monthly volume-by-Severity and a risk trend, a product-family heatmap, and CSV export.
  • Each CVE links to an enriched per-CVE page, or jump to the full CVE reference.
  • With Senserva: which of these are missing on your devices, with validated approve-before-apply remediation.

Patch tracker questions, answered

How is the Microsoft Patch Tracker different from the MSRC Update Guide?

Microsoft's MSRC Update Guide is the authoritative list of what shipped. This tracker adds the prioritization it does not: every KB is ranked by CISA KEV (actively exploited) first, then FIRST.org EPSS exploit probability, then CVSS severity, with each KB tied to the CVEs it fixes and shown in live charts and a product-family risk heatmap. It is free, with no sign-in.

How often is the patch data updated?

Daily. The tracker auto-refreshes from Microsoft MSRC, CISA KEV, and FIRST.org EPSS, so the charts, heatmap, and table reflect the latest Patch Tuesday and out-of-band updates and the current exploitation signals.

What is Patch Tuesday?

Patch Tuesday is the second Tuesday of each month, when Microsoft releases its scheduled security updates. Critical fixes can also ship out-of-band between Patch Tuesdays. This tracker covers both.

What do CISA KEV and EPSS mean for patch prioritization?

CISA KEV is the catalog of CVEs confirmed to be actively exploited in the wild. EPSS is a daily probability that a CVE will be exploited soon. Ranking patches by KEV then EPSS, on top of CVSS severity, surfaces what attackers are actually using, a better fix-first order than CVSS alone.

What is a KB, and how does it relate to a CVE?

A KB (Knowledge Base) number identifies a Microsoft update package. Each KB fixes one or more CVEs. The tracker cross-references every KB to the CVEs it resolves, and every CVE to the KB that fixes it.

Is the patch tracker free?

Yes, it is free to use with no sign-in. Running Senserva adds the part a public tracker cannot: which of these patches and CVEs are actually missing on your own devices, with a validated, approve-before-apply fix.

From Mark Shavlik, the original creator of Shavlik patch management (HfNetChk, NetChk Protect), and his team. Senserva is a Microsoft Intelligent Security Association (MISA) member.

Fixing what this tracker finds

This page is the public picture. The short walkthrough below shows the same ranking applied to your own tenant: which of these updates are actually missing on your devices, fixed with approval.

Senserva patching for Microsoft 365

Open the watch page for this video, or read about Senserva patching.

Reference: the Microsoft patching guide, how Intune, Windows Autopatch, Defender, and Azure Update Manager fit together, and where third-party patch vendors fit in.

Data notice: the trackers, feeds, and API are provided as is, for informational purposes only, without warranty of any kind. Senserva, LLC does not guarantee the accuracy, completeness, or timeliness of third-party data and accepts no liability for actions taken based on it; verify against the primary source before acting. All use of this data is subject to the Senserva EULA.