- NIST Changes National Vulnerability Database Enrichment Process Due to Increase in CVE Submissions
- 263% increase from 2020; Priority is now given to KEV entries, federal software, and critical software per EO 14028.
- Other CVEs are considered “lower priority,” but users can request enrichment via email if necessary
The number of reported vulnerabilities has increased so dramatically that it forced the National Institute of Standards and Technology (NIST) to change the way it “enriches” each entry.
Until now, NIST would take a basic CVE record and add structured analysis to make it more useful in the National Vulnerability Database (NVD). Typically, that includes severity score (CVSS), affected products (CPE), classification of weaknesses (CWE), and additional metadata.
However, between 2020 and 2025, there has been a 263% increase in CVE filings, NIST said, adding that it does not expect the trend to slow down anytime soon. “Submissions during the first three months of 2026 are almost a third higher than the same period last year,” he said.
Article continues below.
Prioritize those on the KEV list
In order to keep pace with growing demand, NIST is establishing certain criteria. Submissions that meet them will be enriched as soon as possible, while those that don’t will have to wait. NIST didn’t say it wouldn’t enrich these “lower priority” submissions at all, but if the agency is inundated with new entries every day, it’s safe to assume many will never be covered.
Starting April 15, NIST said it would prioritize CVEs listed in CISA’s catalog of known exploited vulnerabilities (KEV), CVEs for software used within the federal government, and CVEs for critical software as defined by Executive Order 14028.
Everything else will be considered “lowest priority,” but NIST says that doesn’t mean other CVEs won’t have a significant impact on affected systems.
“These criteria may not cover all potentially high-impact CVEs,” he cautioned. “Therefore, users can request enrichment of any lower priority CVEs by emailing us at [email protected]. We will review those requests and schedule enrichment of CVEs as resources permit.”
A complete definition of critical software and a description of the new workflow can be found on this page.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
