HomePatch and vulnerability tracker › What's hot

Hot Patches: the hottest Microsoft patches and CVEs right now

Hot Patches is a unique list Senserva generates of the Microsoft patches (KBs) and CVEs of most interest right now, not a raw dump. It is free, refreshed several times a day, and available as a Hot Patches JSON feed to build on.

Everything here is ranked by one blended score: CISA KEV confirmed exploitation first, then known ransomware use, then FIRST.org EPSS exploit probability, then CVSS severity, with a recency boost so freshly exploited items rise to the top. When live search demand is available, that gets folded in too. Every CVE and KB also carries its created date and change history, tracked going forward and refreshed several times a day, so you can see what is new and what recently changed.

Building a tool? The same ranking is a free JSON API: https://senserva.com/api/hot.json, with four ranked lists (all CVEs, Microsoft CVEs, non-Microsoft CVEs, and patches/KBs). No login or key. See the feeds and API page for the schema and rules. Free to use with attribution: "Patch Data Provided by Senserva".

How to read it: higher on the list means hotter. In Motion means it is moving right now: newly confirmed exploited, tied to active ransomware, or climbing in search.

Hottest CVEs right now

The ten CVEs with the highest combined score. Click any card for the full write-up and the fix.

Loading the hottest CVEs...
See the full top 100 CVEs

Hottest Microsoft patches (KBs) right now

The ten Microsoft updates carrying the most risk to deploy first.

Loading the hottest KBs...
See the full top 100 KBs

Top 100 hottest CVEs

Sortable and filterable. Every row links to that CVE's page: what it is, who is exposed, and the update that fixes it.

Loading the hot CVE list...

Top 100 Hot Patches (Microsoft KBs)

The Microsoft updates behind the hottest CVEs, ranked to deploy in order.

Loading the hot KB list...

Recently changed

Every CVE and Microsoft patch carries a Senserva-tracked created date and change history. These changed most recently, newest first.

The CVEs and Microsoft patches whose tracked facts (Severity, exploitation, affected products, or fixes) changed most recently, newest first. Tracked since 2026-07-07, refreshed several times a day.

  • CVE-2026-53359 High changed 2026-07-08
    KVM: x86: Fix shadow paging use-after-free due to unexpected role
  • CVE-2026-8458 Medium changed 2026-07-08
    wrong reuse for different services

From "what's hot" to "what's missing on my devices"

This page shows what the whole world is dealing with. Senserva shows which of these hot CVEs and KBs are actually missing on your Microsoft 365, Intune, Defender, and Entra ID estate, then ranks your gaps the same way: actively exploited first. It reads every layer read-only and names the exact KB to deploy.

See your security gaps, free

Common questions

How is "hot" decided?

Each CVE and KB gets a score that blends real-world threat signal and search demand. Threat signal is CISA KEV (confirmed exploited in the wild) first, then known ransomware use, then FIRST.org EPSS exploit probability, then CVSS severity, with a recency boost so newly confirmed exploitation rises. When a credentialed Search Console pull is present, live search demand (how many people are looking the item up) is blended in too.

What does "In Motion" mean?

In Motion flags an item that is actively moving right now: either it was newly added to the CISA Known Exploited Vulnerabilities catalog in the last two to three weeks, it is tied to active ransomware campaigns, or it is climbing in live search demand. It is the short list to look at first.

How often does this update?

The underlying feeds (Microsoft MSRC, CISA KEV, FIRST.org EPSS) refresh multiple times a day, and this ranking is rebuilt with them, so a newly exploited CVE or a fresh out-of-band KB shows up here within hours.

Is there an API or feed for the hottest patches?

Yes. The same ranking is a free JSON API at https://senserva.com/api/hot.json: four ranked lists (all CVEs, Microsoft CVEs, non-Microsoft CVEs, and patches/KBs), each item with its rank, score, dates, and a link to the detail page. No login or key. RSS feeds and a Patch Tuesday calendar are on the feeds and API page. Free to use with attribution: "Patch Data Provided by Senserva".

Is it free?

Yes, free with no sign-in. Running Senserva adds the part a public ranking cannot: which of these hot CVEs and KBs are actually missing on your own devices, ranked so you fix the right things first.

Patch tracker questions, answered

How is the Microsoft Patch Tracker different from the MSRC Update Guide?

Microsoft's MSRC Update Guide is the authoritative list of what shipped. This tracker adds the prioritization it does not: every KB is ranked by CISA KEV (actively exploited) first, then FIRST.org EPSS exploit probability, then CVSS severity, with each KB tied to the CVEs it fixes and shown in live charts and a product-family risk heatmap. It is free, with no sign-in.

How often is the patch data updated?

Daily. The tracker auto-refreshes from Microsoft MSRC, CISA KEV, and FIRST.org EPSS, so the charts, heatmap, and table reflect the latest Patch Tuesday and out-of-band updates and the current exploitation signals.

What is Patch Tuesday?

Patch Tuesday is the second Tuesday of each month, when Microsoft releases its scheduled security updates. Critical fixes can also ship out-of-band between Patch Tuesdays. This tracker covers both.

What do CISA KEV and EPSS mean for patch prioritization?

CISA KEV is the catalog of CVEs confirmed to be actively exploited in the wild. EPSS is a daily probability that a CVE will be exploited soon. Ranking patches by KEV then EPSS, on top of CVSS severity, surfaces what attackers are actually using, a better fix-first order than CVSS alone.

What is a KB, and how does it relate to a CVE?

A KB (Knowledge Base) number identifies a Microsoft update package. Each KB fixes one or more CVEs. The tracker cross-references every KB to the CVEs it resolves, and every CVE to the KB that fixes it.

Is the patch tracker free?

Yes, it is free to use with no sign-in. Running Senserva adds the part a public tracker cannot: which of these patches and CVEs are actually missing on your own devices, ranked so you fix the right things first.

Can I use this patch data with my own AI?

Yes. The page includes a free copy-paste AI prompt, generated from the live table each day, that carries the riskiest KBs with their severity, EPSS scores, and CISA KEV status into Claude, ChatGPT, or Copilot, so you can build a deployment plan in your own words.

From Mark Shavlik, the original creator of Shavlik patch management (HfNetChk, NetChk Protect), and his team. Senserva is a Microsoft Intelligent Security Association (MISA) member.

Fixing what this tracker finds

This page is the public picture. The short walkthrough below shows the same ranking applied to your own tenant: which of these updates are actually missing on your devices, fixed with approval.

Senserva patching for Microsoft 365

Open the watch page for this video, or read about Senserva patching.

Sponsored by Senserva

Siemserva by Senserva reports patch status for your own devices: which ones are missing the updates on this page, ranked by what attackers actually exploit.

  • Patch status in one scan: which devices are affected, which are not
  • Missing updates ranked by CISA KEV and EPSS, so you fix the right things first
  • Data from Intune, Microsoft Defender, Windows Autopatch, and Azure Update Manager, with more sources on the way
  • Third-party app patching too: updates published to Intune by PatchMyPC, Scappman, Robopack, or any vendor, read vendor-neutrally
  • Optional AI Enhanced Reporting: plain-language summaries and recommended next steps written into your reports
  • Then go further: 650+ security checks, compliance evidence, and Senserva Trustworthy AI driven configuration remediation
Patch Status Report
Missing updates across 110 devices, ranked by exploitation
23
MISSING UPDATES
87
UP TO DATE
41
OTHER UPDATES DUE
UPDATESEVERITYKEVMISSING
KB5094123CriticalEXPLOITED23
KB5094142High-11
KB5094139High-6
Estimated report, sample data for illustration
Get Going with Senserva Senserva patching Built for IT admins and security teams, with audit-ready data for compliance. Senserva is a Microsoft Intelligent Security Association member.

Reference: the Microsoft patching guide, how Intune, Windows Autopatch, Defender, and Azure Update Manager fit together, and where third-party patch vendors fit in.

Data notice: the trackers, feeds, and API are provided as is, for informational purposes only, without warranty of any kind. Senserva, LLC does not guarantee the accuracy, completeness, or timeliness of third-party data and accepts no liability for actions taken based on it; verify against the primary source before acting. All use of this data is subject to the Senserva EULA.