The number of vulnerabilities is becoming unmanageable. The U.S. security authority NIST is therefore updating its National Vulnerability Database methodology. A full analysis will not be conducted for vulnerabilities that do not initially appear to be among the most critical CVEs. This could create a blind spot, though a replacement is already on the horizon.
The number of newly submitted CVEs (Common Vulnerabilities and Exposures) rose by 263 percent between 2020 and 2025, NIST reports. In the first three months of 2026, nearly a third more reports were received than in the same period a year earlier. NIST processed nearly 42,000 CVEs in 2025, a 45 percent increase compared to previous years, but even that proved insufficient to keep up with the influx.
The National Vulnerability Database (NVD) has long served as a central reference point for cybersecurity professionals. Through the database, organizations can search for vulnerabilities, consult severity scores, and view product lists to determine which systems are at risk. That information is not automatically available: NIST itself adds it, a process known internally as “enrichment.” That process is now under pressure. A funding gap in 2024 further exacerbated the existing backlog, preventing NIST from ever fully clearing it since then.
In April 2025, the funding shortfall became even more drastic. The entire CVE system was temporarily left without funding, which would have effectively caused it to collapse. A European alternative soon emerged. The storm passed, but it is now clear that drastic decisions are still needed.
Record growth forces choices
Starting this week, NIST is applying new prioritization criteria. CVEs listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog are given priority and must be fully analyzed within one business day. Additionally, vulnerabilities affecting software used by the U.S. federal government and software designated as critical under Executive Order 14028 will be processed on an accelerated basis. CVEs that fall outside these categories will now be labeled as ‘Not Scheduled’ and will not automatically receive the usual analyses.
As a result, we can now explicitly view the CVE database as primarily a reactive system. This does not mean fewer vulnerabilities are visible in the catalog, but the granularity is decreasing. A strategy of patching based on CVSS scores above a certain threshold is disastrous in any case, and now even riskier.
What changes for users
All submitted CVEs will therefore remain ‘normally’ available in the NVD, but the enrichment is missing for the majority. Furthermore, NIST will stop automatically assigning its own severity score if the submitter, the CVE Numbering Authority, has already provided a score. This reduces duplication of effort, according to NIST.
Backlog CVEs with a publication date prior to March 1, 2026, will also be moved to ‘Not Scheduled.’ Users can still request enrichment for specific CVEs via an email request process. In the meantime, NIST plans to work on automated systems to sustain the NVD in the long term.