“Actively exploited” vs “public exploit code” — not the same thing
Security feeds use these phrases as if they were interchangeable. They are two different facts, from two different kinds of evidence, and they call for different responses. CSIRTS.com tracks them as two separate flags on every CVE — here is why.
“Actively exploited” = someone is attacking with it
When CSIRTS.com marks an advisory exploited, the CVE is in the CISA Known Exploited Vulnerabilities catalog: an authority has evidence of real-world exploitation — incident response findings, honeypot hits, vendor telemetry. It is confirmation, not prediction. The trade-off is lag: confirmation can arrive days or weeks after attacks begin, and KEV only lists what CISA can verify.
“Public exploit code” = anyone could attack with it
The public exploit flag (has_exploit) means working attack code is published where anyone can fetch it. CSIRTS.com syncs four sources daily: the Metasploit module index, the Exploit-DB archive, ProjectDiscovery's Nuclei CVE templates, and the PoC-in-GitHub index. Published code doesn't prove anyone has used it — but it collapses the skill required to try, and mass scanning typically follows within days of a usable PoC.
The gap is the interesting part
Cross-referencing the two sets, live, is the point of our Exploitation Gap report. At any given time, dozens of CVEs have working public exploit code but no KEV entry — the window where opportunistic exploitation starts while formal confirmation lags. Around two-thirds of KEV entries also have public code; the rest were exploited privately, often by targeted actors, before or without any publication.
For defenders the rule of thumb: KEV = patch now (it is happening); public exploit, no KEV = patch before you become the confirmation; neither flag = schedule by EPSS and CVSS.
Check any CVE
Every CVE page (csirts.com/cve/<CVE-ID>) shows both flags with the evidence: KEV date if listed, and which exploit datasets reference it. The same fields are in the JSON API (exploited, has_exploit), the RSS filters, the MCP server, the embeddable badges and the downloadable exploitation dataset.