NIST is cataloging so many vulnerabilities it can only assign severity scores to the highest priority threats

News
By published

The volume has almost tripled in five years

Concept art representing cybersecurity principles
Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)
  • NIST changes enrichment process for National Vulnerability Database due to surge in CVE submissions
  • 263% increase since 2020; prioritization now given to KEV entries, federal software, and critical software under EO 14028
  • Other CVEs deemed “lowest priority,” but users can request enrichment via email if needed

The number of reported vulnerabilities has surged so sharply that it forced the National Institute of Standards and Technology (NIST) to change how it ‘enriches’ each entry.

Until now, NIST would take a basic CVE record and add structured analysis, to make it more useful in the National Vulnerability Database (NVD). That usually includes severity scoring (CVSS), affected products (CPE), weakness classification (CWE), and additional metadata.

However, between 2020 and 2025, there has been a 263% increase in CVE submissions, NIST said, adding that it doesn’t expect the trend to let up anytime soon. "Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” it said.

Article continues below

Prioritizing KEV-listed ones

To be able to keep up with rising demand, NIST is setting up certain criteria. Submissions that meet them will be enriched as soon as possible, while those that do not, will have to wait. NIST did not say it would not enrich these “lowest priority” submissions at all, but if the agency is being flooded with new entries every day, it’s safe to assume many will never be covered.

Starting April 15, NIST said it would prioritize CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVEs for software used within the federal government, and CVEs for critical software as defined by Executive Order 14028.

Everything else will be deemed “lowest priority”, but NIST says it doesn’t mean other CVEs won’t have a significant impact on affected systems.

“These criteria may not catch every potentially high-impact CVE,” it warned. “Therefore, users can request enrichment of any lowest priority CVEs by emailing us at nvd@nist.gov. We will review those requests and schedule the CVEs for enrichment as resources allow.”

A full definition of critical software and a description of the new workflow can be found on this page.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.