Vulnerability‑management strain

The U.S. vulnerability database is no longer trying to fully analyze every new software flaw as record CVE volumes outrun the team that scores and tags them. (nist.gov) A CVE is the public ID number for a software bug, and the National Vulnerability Database adds the extra labels defenders use to sort risk, including severity scores and affected product lists. NIST said on April 15 that it will now enrich only selected CVEs instead of all of them. (nvd.nist.gov, nist.gov) NIST said CVE submissions rose 263% from 2020 to 2025, and the first three months of 2026 were nearly one-third higher than the same period a year earlier. The agency said it enriched nearly 42,000 CVEs in 2025, 45% more than any prior year, but still could not keep up. (nist.gov) Under the new rules, NIST will prioritize CVEs in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, software used by the federal government, and “critical software” defined under Executive Order 14028. NIST said CVEs outside those buckets will still appear in the database but as “Lowest Priority - not scheduled for immediate enrichment.” (nist.gov) That change lands after a backlog that NIST said began building in early 2024. The agency’s public dashboard showed 32,497 CVEs “Awaiting Analysis” this week. (nvd.nist.gov, nvd.nist.gov) The National Vulnerability Database is one of the feeds security teams plug into scanners, ticketing systems, and compliance checks. NIST says the database underpins automated vulnerability management through the Security Content Automation Protocol. (nvd.nist.gov, nvd.nist.gov) CISA’s own prioritization list is narrower by design. Its Known Exploited Vulnerabilities catalog is the government’s list of bugs confirmed to have been used in real attacks, and CISA says organizations should use it as one input in their vulnerability management framework. (cisa.gov) CISA also publishes weekly bulletins that summarize newly disclosed vulnerabilities and patch information, but those roundups are not a substitute for full NVD enrichment across the broader CVE stream. The latest bulletin page lists summaries through the week of April 6, 2026. (cisa.gov) The staffing picture has been unstable too. Acting CISA Director Madhu Gottumukkala told House appropriators on February 13 that, under shutdown conditions, only about one-third of the agency would remain on the job and staff would be unable to proactively scan for cyber vulnerabilities. (nextgov.com) On April 10, the Department of Homeland Security recalled furloughed staff across the department, including at CISA, after a funding lapse that began on February 14. Federal News Network reported the return-to-work order covered “all DHS employees” on their next scheduled duty day, even though Congress had not yet enacted a fiscal 2026 DHS appropriation. (federalnewsnetwork.com, cbsnews.com) NIST says users can ask for a lower-priority CVE to be enriched by emailing the database team, and it says it is building more automation for long-term sustainability. For now, the public list of flaws will keep growing faster than the government’s usual layer of scoring and product mapping. (nist.gov, nist.gov)