Notifications
Clear all
Topic starter
17/05/2026 9:48 am
TL;DR: NIST’s April 2026 NVD enrichment change prioritizes only KEV, federal, and critical software CVEs, while the rest are marked Not Scheduled, widening a gap that already existed as submissions rose 263% from 2020 to 2025 and first-quarter 2026 submissions ran nearly one-third higher than a year earlier, according to Oligo Security. Static CVE programs are now forced to confront a harder truth: runtime exploitability matters more than database completeness.
NHIMG editorial — based on content published by Oligo Security: NIST’s NVD changes and the limits of CVE-driven security
By the numbers:
- CVE submissions increased 263% between 2020 and 2025, representing an already staggering pace prior to a sharp uptick in AI-driven vulnerability submissions.
- Submissions in the first three months of 2026 are running nearly one-third higher than the same period last year.
Questions worth separating out
Q: How should security teams prioritise vulnerabilities when CVE metadata is incomplete?
A: Prioritise by runtime exposure, exploitability, and reachability, not by CVE presence alone.
Q: Why is CVE-centric security becoming less reliable?
A: CVE-centric security is less reliable because identifier volume is rising faster than enrichment can keep up, while attackers exploit technique patterns before databases are complete.
Q: What is the difference between static vulnerability scanning and runtime risk management?
A: Static scanning tells you what vulnerable code exists.
Practitioner guidance
- Adopt runtime-first vulnerability triage Prioritise issues based on whether the affected code actually runs in production, not only on CVSS or catalog status.
- Correlate vulnerability data with identity exposure Check which service accounts, tokens, and automated jobs can reach vulnerable components before assigning remediation priority.
- Treat enrichment delays as a control gap Assume that some CVEs will remain unscheduled or partially enriched, and create fallback rules for missing metadata.
That means the control question changes from how fast can we patch every finding to how well can we prove what is actually running, reachable, and privileged at the moment of exposure?
👉 Read Oligo Security's analysis of NVD enrichment changes and runtime risk →
Explore further
17/05/2026 9:48 am
CVE-centric security is now a risk representation problem, not a risk management solution. NVD and CVE records still have value, but they are incomplete proxies for whether an issue is reachable, exploitable, or operationally relevant. Once enrichment falls behind submission volume, teams are triaging by paperwork instead of by exposure. For NHI governance, this is a familiar failure mode because identity inventories without runtime context create the same false confidence. Practitioner conclusion: treat CVE data as one input, not the control plane.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, reinforcing why runtime visibility matters when vulnerability workflows lag.
A question worth separating out:
Q: When should teams treat missing enrichment as a priority signal?
A: Treat missing enrichment as a priority signal when the affected software is exposed, business-critical, or tied to automated identities that can move fast. Missing metadata means the queue is incomplete, not that the risk is low. In those cases, use compensating signals such as exploit activity, runtime execution, and privilege scope.
👉 Read our full editorial: NVD prioritization exposes the limits of CVE-centric security
