❌

Normal view

National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges

Blogs

Blog

National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges

In this post, we examine what NVD’s shift to selective enrichment means for vulnerability workflows and how security teams can maintain visibility and prioritization at scale.

SHARE THIS:
Default Author Image
April 17, 2026

The National Vulnerability Database (NVD) is changing how it processes and enriches vulnerability data in response to sustained growth in CVE submissions.

Under a new model announced by the National Institute of Standards and Technology, NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical.

All other CVEs will remain in the database without additional context unless specifically requested.

Rising disclosure volumes are placing pressure on public vulnerability infrastructure, and it has direct implications for how security teams consume and act on vulnerability data.

What Changed in NVD’s Operating Model

For years, NVD aimed to provide consistent enrichment across all CVEs, including severity scoring, affected product data, and supporting context for prioritization.

That approach has not been sustainable since late 2023.

In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, 14,593 of which had publicly available exploits (and 1,944 more with proof-of-concepts).Β 

CVE submissions increased by 263% between 2020 and 2025, with 2026 already tracking higher year-over-year. Even with increased throughput, NVD has not been able to keep pace.

Under the updated model:

  • CVEs meeting prioritization criteria will be enriched on an accelerated timeline
  • CVEs outside those criteria will be labeled and left without enrichment
  • Re-analysis of modified CVEs will occur selectively
  • Separate NVD severity scoring will no longer be applied by default

This introduces a significant structural change in how vulnerability data is published and maintained.

The Impact on Vulnerability Workflows

Many security programs rely on NVD enrichment to operationalize CVE data. That enrichment provides the context needed to evaluate risk and determine remediation priorities.

With enrichment applied selectively, teams will encounter a growing number of CVEs that include:

  • Limited or no severity scoring
  • Incomplete product and version data
  • Minimal context on exploitability or impact
  • No CPE strings that allow for programmatic consumption of data

At the same time, disclosure volume continues to rise, and exploitation timelines remain compressed. This creates a gap between what is disclosed and what can be acted on efficiently.

Security teams will need to account for:

  • Larger backlogs of CVEs without actionable context
  • Increased manual effort to evaluate relevance and risk
  • Greater variability in data quality across sources

These changes affect vulnerability management, threat intelligence, and security operations workflows simultaneously.

Prioritization Criteria Will Not Capture the Full Risk Landscape

NVD’s updated model focuses enrichment on a defined set of criteria, including known exploited vulnerabilities and software relevant to federal systems.

These categories represent important segments of risk, but they do not encompass the full set of vulnerabilities that organizations encounter in practice.

Modern environments include:

  • Open-source dependencies
  • SaaS platforms and APIs
  • Cloud infrastructure and services
  • Third-party and partner integrations

Many vulnerabilities affecting these environments fall outside formal prioritization frameworks or lack immediate classification within public datasets. As a result, security teams will continue to face exposure from vulnerabilities that are:

  • Actively exploited but not yet included in prioritized lists
  • Missing complete metadata or enrichment
  • Relevant to their environment but not captured by federal-centric criteria

Vulnerability Intelligence Requires Broader Coverage and Deeper Context

As public enrichment becomes more selective, organizations will rely more heavily on alternative sources to maintain visibility and context.

Effective vulnerability intelligence requires:

  • Coverage across CVE and non-CVE vulnerabilities
  • Continuous tracking of exploitation activity and adversary usage
  • Context on exploit maturity, and remediation
  • Consistent enrichment that can be integrated into operational workflows

This level of detail supports faster and more accurate decision-making in environments where both volume and speed are increasing.

Flashpoint’s vulnerability intelligence model is built to address these requirements, with a dataset that includes over 7,000 known exploited vulnerabilities and ongoing analyst-driven enrichment across global sources.

What Security Teams Should Do Next

This shift in NVD operations does not change the need to track CVEs. It changes how that data can be used. Security teams should evaluate how their current workflows depend on:

  • NVD enrichment for prioritization
  • CVSS scoring as a primary decision input
  • Completeness of public vulnerability data

From there, teams can take steps to strengthen resilience:

  • Incorporate sources of vulnerability intelligence that cover CVE and more
  • Align prioritization to exploitation activity and environmental relevance
  • Validate coverage across software, cloud, and third-party dependencies
  • Ensure that enrichment gaps do not delay remediation decisions

A Structural Shift in Vulnerability Data

For many teams, NVD has been a default source of vulnerability context. This change makes clear that its role is narrowing at a time when disclosure volume and prioritization demands are increasing.

At the same time, the role of vulnerability intelligence is expanding.

Security teams need access to data that supports prioritization, not just identification. They need consistent enrichment, faster turnaround, broader coverage, and context tied to real-world activity. As disclosure volumes continue to grow, those requirements become more central to how organizations manage risk.

Flashpoint’s Vulnerability Intelligence provides this level of coverage and context, with analyst-driven enrichment, global visibility across CVE and non-CVE vulnerabilities, and a dataset that includes over 7,000 known exploited vulnerabilities.

Request a demo to see how Flashpoint helps security teams prioritize and act on vulnerability risk with greater precision and confidence.

Begin your free trial today.

The post National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges appeared first on Flashpoint.

Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates

Blogs

Blog

Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates

In this post we explore Flashpoint’s latest milestone of surpassing cataloging 7,000 known exploited vulnerabilities and what this means for security teams.

SHARE THIS:
Default Author Image
April 15, 2026

Flashpoint Vulnerability Intelligence has surpassed cataloging 7,000 known exploited vulnerabilities, surpassing another major milestone as vulnerability disclosures accelerate across the global attack surface.

In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, a pace that continues to accelerate into 2026. Of those, 14,593 had publicly available exploits (1,944 more with proof-of-concepts), giving threat actors immediate pathways to weaponization.

This pace is shaping how exploitation unfolds, with high-impact vulnerabilities being operationalized within hours or days, particularly when they affect widely deployed technologies or core infrastructure.

Security teams are operating within this compressed environment every day. They are reviewing more findings across open-source software, commercial applications, cloud environments, and third-party dependencies, while working within tighter timelines to assess impact and take action.

Flashpoint’s latest milestone of surpassing 7,000 known exploited vulnerabilities (KEVs) cataloged reflects that reality. It highlights how vulnerability management programs are evolving toward prioritization as a core capability, with a focus on vulnerabilities tied to active exploitation and real-world risk.

What The 7,000+ KEV Milestone Means for You

Security teams are operating in a high-volume environment. Vulnerabilities are disclosed continuously across open-source software, commercial applications, cloud environments, and third-party dependencies. At the same time, advancements in automation and code analysis are increasing the rate at which new findings are surfaced.

Each of these findings enters an already crowded workflow. Teams are expected to determine relevance, urgency, and impact quickly, often with limited context. This is where risk-based decision making becomes essential.

Flashpoint tracks hundreds of thousands of vulnerabilities across thousands of sources. Within that dataset, a much smaller percentage shows confirmed exploitation activity. That concentration of risk informs how effective programs allocate time and resources.

Crossing the 7,000+ KEV milestone goes beyond scale to provide greater precision, deeper context, and stronger confidence in how teams prioritize and act on the most critical vulnerabilities.

  • Validated threats: Each KEV entry reflects observed exploitation in the wild by threat actors, including APT groups, cybercriminal operations, ransomware presence, and automated botnets.
  • Exploit-aware prioritization: In reality, only a small percentage of tracked vulnerabilities drive real-world incidents. FP KEV provides visibility into that subset so teams can focus remediation efforts where they have immediate impact.
  • Human-curated intelligence: Every entry is reviewed, validated, and enriched by analysts, with context on exploit maturity, adversary usage, and remediation pathways when available.

This level of clarity allows teams to move faster without sacrificing accuracy. It supports vulnerability management programs that are built around real-world attacker behavior and aligned to current risk.

How Public Vulnerability Data Fits Into the Picture

Public vulnerability catalogs remain useful reference points for tracking disclosures and confirmed exploitation. The CISA Known Exploited Vulnerabilities catalog, for example, gives security teams a curated view into a limited set of vulnerabilities that have been exploited in the wild that impact U.S. government stakeholders.

For many organizations, though, that level of visibility is not enough.

Public catalogs capture only part of the picture. They tend to reflect a narrower slice of exploitation activity, with less detail on how vulnerabilities are being used, which actors are leveraging them, and what defenders should do next. They also rely heavily on CVE-based tracking, leaving gaps around non-CVE exposures and other vulnerabilities that still carry operational risk.

Flashpoint’s FP KEV and Vulnerability Intelligence provide a broader and more actionable view. The advantage is visible in both scale and depth. Of the 7,000 known exploited vulnerabilities in FP KEV, over 800 are missing from CVE. That expanded coverage is paired with the context security teams need to prioritize effectively, including exploit maturity, adversary mapping, affected product detail, and remediation guidance.

DimensionPublic KEV CatalogsFlashpoint FP KEV
ScopeVaries by provider, with coverage dependent on available sources and methodologyGlobal, cross-industry coverage
CoverageCVE-based trackingCVE and non-CVE vulnerabilities
ContextLimited enrichmentExploit maturity, adversary mapping, remediation
Update ModelPeriodic updatesContinuously updated with analyst input

This is what separates a reference list from an operational dataset. Teams need vulnerability intelligence that supports triage, remediation, reporting, and broader risk reduction efforts. Wider visibility and deeper context make that possible.

The Critical Role of Human-Curated Intelligence

Vulnerability data originates from a wide range of sources with varying levels of completeness and accuracy.

Flashpoint’s intelligence model includes analyst validation to ensure consistency and depth across the dataset.

This process includes:

  • Reviewing disclosures across public and private sources
  • Validating exploit availability and usage
  • Enriching entries with technical and operational context

Analyst input supports:

  • Accurate classification of vulnerabilities
  • Clear understanding of exploitation pathways
  • Timely updates as activity evolves

Supporting Decision-Making Across Teams

Vulnerability intelligence feeds multiple functions across an organization. Teams use this data to align technical actions with current threat activity.

Common use cases include:

  • Vulnerability management: Align patching priorities with active exploitation trends.
  • Threat intelligence: Map vulnerabilities to threat actor campaigns and observed behaviors.
  • Security operations: Tune detection based on known exploit techniques.
  • Executive reporting: Communicate risk posture using data tied to real-world activity.

Each of these functions relies on consistent, enriched intelligence to maintain alignment.

Proactively Address Vulnerability Risk

Vulnerability discovery continues to expand across software ecosystems, infrastructure, and identity layers.

Security teams require a clear understanding of which issues are relevant to their environment at any given time.

Flashpoint provides primary source intelligence that supports this need through:

  • Continuous monitoring of vulnerability disclosures and exploitation
  • Analyst-driven validation and enrichment
  • Integration-ready data for operational workflows

This approach enables teams to maintain focus, allocate resources effectively, and respond to risk based on current threat activity. Request a demo and learn more today.

Begin your free trial today.

The post Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates appeared first on Flashpoint.

❌