At first glance this seems kind of scary, but if it relies on already-reported CVEs, then doesn't that defeat the purpose of using it to breach a vulnerability? AFAIK, CVEs are only disclosed publicly after they've been patched. I could be wrong though.
It means they have a patch - but usually there are still a lot of installations everywhere. when the CVE is published people are only starting to patch their systems
