NIST Is Cataloging so Many Vulnerabilities It Can only Assign Severity Scores to the Highest Priority Threats

The National Vulnerability Database, long regarded as the definitive source for vulnerability intelligence, is grappling with an unprecedented influx of CVE entries. A 263% jump in submissions over the past five years reflects the accelerating pace of software development, cloud adoption, and the proliferation of open‑source components. Each CVE traditionally receives a CVSS score, product mapping, and CWE classification, a labor‑intensive process that NIST can no longer sustain at scale. By reshaping its enrichment workflow, NIST aims to preserve the quality of its most critical data while acknowledging resource constraints.

Under the new regime, NIST will fast‑track enrichment for three categories: vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, those affecting software used by federal agencies, and those deemed critical under Executive Order 14028, which targets supply‑chain risk. This triage mirrors the broader industry shift toward risk‑based vulnerability management, where security teams prioritize remediation based on exploitability and business impact. For vendors and enterprises, the change means that high‑profile flaws will continue to receive timely CVSS scores, facilitating automated patching and compliance reporting. However, organizations that depend on comprehensive NVD coverage for niche or legacy products may need to supplement the database with internal assessments or third‑party feeds.

The long‑term implications are twofold. First, the prioritization model could widen the information gap for lower‑priority CVEs, potentially leaving some attack surfaces under‑monitored. Security teams should therefore establish processes to request enrichment for specific entries that matter to their environment. Second, the move underscores the growing demand for scalable, AI‑assisted vulnerability analysis tools that can handle volume without sacrificing accuracy. As the threat landscape evolves, firms that integrate multiple intelligence sources and adopt proactive risk scoring will be better positioned to mitigate the surge of vulnerabilities that NIST now openly acknowledges.