Not theoretical CVEs — these are vulnerabilities CISA (the US government's cybersecurity agency) has confirmed are actively being exploited in the wild right now. Refreshed automatically from CISA's public catalog.
cron/refresh-kev.php to run at least once via a scheduled task — see the deployment guide.