NIST is cataloging so many vulnerabilities it can only assign severity scores to the highest priority threats

1. Pro
2. Security

NIST is cataloging so many vulnerabilities it can only assign severity scores to the highest priority threats News By Sead Fadilpašić published 20 April 2026

The volume has almost tripled in five years

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore An account already exists for this email address, please log in. Subscribe to our newsletter

• NIST changes enrichment process for National Vulnerability Database due to surge in CVE submissions
• 263% increase since 2020; prioritization now given to KEV entries, federal software, and critical software under EO 14028
• Other CVEs deemed “lowest priority,” but users can request enrichment via email if needed

The number of reported vulnerabilities has surged so sharply that it forced the National Institute of Standards and Technology (NIST) to change how it ‘enriches’ each entry.

Until now, NIST would take a basic CVE record and add structured analysis, to make it more useful in the National Vulnerability Database (NVD). That usually includes severity scoring (CVSS), affected products (CPE), weakness classification (CWE), and additional metadata.

However, between 2020 and 2025, there has been a 263% increase in CVE submissions, NIST said, adding that it doesn’t expect the trend to let up anytime soon. "Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” it said.

Article continues below You may like

• Forget zero-days - 'N-days' could be the most worrying security threat facing your systems today, here's why
• Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentials
• Critical Citrix NetScaler flaw gets official patch warning from CISA

Prioritizing KEV-listed ones

To be able to keep up with rising demand, NIST is setting up certain criteria. Submissions that meet them will be enriched as soon as possible, while those that do not, will have to wait. NIST did not say it would not enrich these “lowest priority” submissions at all, but if the agency is being flooded with new entries every day, it’s safe to assume many will never be covered.

Starting April 15, NIST said it would prioritize CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVEs for software used within the federal government, and CVEs for critical software as defined by Executive Order 14028.

Everything else will be deemed “lowest priority”, but NIST says it doesn’t mean other CVEs won’t have a significant impact on affected systems.

“These criteria may not catch every potentially high-impact CVE,” it warned. “Therefore, users can request enrichment of any lowest priority CVEs by emailing us at [email protected]. We will review those requests and schedule the CVEs for enrichment as resources allow.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

A full definition of critical software and a description of the new workflow can be found on this page.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Security Forget zero-days - 'N-days' could be the most worrying security threat facing your systems today, here's why    Security Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentials    Security Critical Citrix NetScaler flaw gets official patch warning from CISA    Security This Wing FTP Server flaw is being actively exploited in attacks – CISA says mitigate now    Pro Why traditional metrics are giving CISOs a false sense of security    Security Critical n8n flaws discovered - here's how to stay safe    Latest in Security Security Hackers abuse Apple account notifications to distribute malware    Security Vercel confirms data breach    Security Cisco tells Webex users to patch critical security flaws immediately    Security Google claims Gemini AI helped it block over 8.3 billion malicious ads in 2025    Security Disgruntled researcher releases second major Defender zero-day    Security Europol launches Operation PowerOFF — warns 75,000 DDoS users and takes down 53 domains    Latest in News Pro Adobe Summit 2026: we're live at Adobe's annual keynotes to hear what's new this year    AI Platforms & Assistants Humanoid robots beat humans at the Beijing half marathon for the first time    Tech Blue origin just hit a major milestone — and then failed its mission    Fitness Trackers Fitbit Air: The latest Whoop rival rumors say that's the name of the mystery Fitbit — and your Fitbit Premium subscription could also change    Smartwatches A key Apple Watch health feature could be returning to your wrist    Security Hackers abuse Apple account notifications to distribute malware    LATEST ARTICLES

1. 1Adobe Summit 2026: we're live at Adobe's annual keynotes to hear what's new this year
2. 2Apple says it’s survived a ‘relentless legal campaign’ against the Apple Watch — and it could mean a key health feature is returning to your wrist
3. 3I went inside Mattel and saw how Toy Story 5 toys are built — and made interactive
4. 4Has the smartphone hijacked your dinner table? StoryCorps and Prego made this gadget to rescue your dinner convos
5. 5‘Spicy pillows’ are the new hidden battery danger I found in my home — here’s how to dispose of them safely