- NIST Modifies National Vulnerability Database Enrichment Process Due to Increase in CVE Submissions
- 263% increase since 2020; priority is now given to KEV entries, federal software and critical software under EO 14028
- Other CVEs deemed “lower priority”, but users can request enrichment by email if necessary
The number of reported vulnerabilities has increased so much that it has forced the National Institute of Standards and Technology (NIST) to change how it “enriches” each entry.
Until now, NIST took a basic CVE record and added a structured analysis to it, to make it more useful in the National Vulnerability Database (NVD). This typically includes Severity Score (CVSS), Affected Products (CPE), Weakness Classification (CWE), and additional metadata.
However, between 2020 and 2025, there was a 263% increase in CVE submissions, NIST said, adding that it does not expect the trend to stop anytime soon. “Submissions in the first three months of 2026 are almost a third higher than for the same period last year,” it says.
Article continues below
Prioritize those listed KEV
To be able to meet growing demand, NIST is implementing certain criteria. Submissions that satisfy them will be enriched as soon as possible, while those that do not satisfy them will have to wait. NIST hasn’t said it won’t enrich these “lower priority” submissions at all, but if the agency is inundated with new entries every day, it’s safe to assume many will never be covered.
Starting April 15, NIST said it would prioritize CVEs appearing in CISA’s Catalog of Known Exploited Vulnerabilities (KEVs), CVEs for software used within the federal government, and CVEs for critical software as defined by Executive Order 14028.
Everything else will be considered “lower priority,” but NIST says that doesn’t mean other CVEs won’t have a significant impact on affected systems.
“These criteria may not take into account all potentially high-impact CVEs,” he warns. “Therefore, users may request enrichment of any lowest priority CVE by emailing us at [email protected]. We will review these requests and schedule CVE enrichment based on available resources.”
A full definition of critical software and a description of the new workflow is available on this page.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
