NIST Narrows Scope of CVE Analysis to Keep up with Rising Tide of Vulnerabilities

The flood of vulnerability disclosures has outpaced the capacity of the government‑run National Vulnerability Database, a cornerstone for risk‑based decision‑making across public and private sectors. Submissions jumped from a few thousand in 2020 to over 42,000 in 2025, a 263% increase, and the first quarter of 2026 already shows a 33% rise versus the same period last year. A funding interruption in early 2024 forced NIST to pause metadata enrichment, creating a backlog of more than 40,000 CVEs that still lack critical context such as severity scores and exploitability data.

To restore long‑term sustainability, NIST is now limiting full analysis to three high‑priority groups: vulnerabilities cataloged by CISA as actively exploited, software deployed by federal agencies, and applications deemed critical under Executive Order 14028. Entries outside these buckets will stay searchable in the NVD but will not receive automatic enrichment or a separate CVSS rating from NIST. This risk‑based approach concentrates limited resources on flaws with the greatest systemic impact, while delegating lower‑tier assessments to the broader community of CNAs and private security firms.

For enterprises, the change means a sharper focus on the most dangerous threats but also a heightened need to supplement NVD data with alternative intelligence sources. Security teams must adjust patch‑management workflows to prioritize the newly highlighted CVEs and may turn to vendors, threat‑intel platforms, or open‑source feeds for deeper analysis of non‑prioritized bugs. Over time, the market could see increased influence from private vulnerability researchers, reshaping the ecosystem that once relied heavily on a single, government‑maintained catalog.