The Agency That Tracks Software Vulnerabilities Just Admitted It Can't Keep Up
NIST — the US government body that documents every known software security flaw — announced this week it can no longer analyse them all. CVE submissions have grown 263% since 2020. Here's what that means for your Ontario business in plain English.
There's a quiet story that broke this week that most business owners completely missed — buried under the noise of Patch Tuesday and the latest breach headlines. But it matters more than almost anything else we've written about this month.
NIST — the United States National Institute of Standards and Technology — runs something called the National Vulnerability Database. It's the world's authoritative reference for every known software security flaw. When a vulnerability is discovered in any piece of software, it gets assigned a CVE number, and NIST documents it: what it is, how severe it is, what software is affected, and how to fix it.
Cybersecurity tools around the world — including the tools used by IT teams protecting businesses like yours — rely on this database to know what to patch and how urgently.
On April 15, 2026, NIST announced it can no longer keep up.
What NIST actually said
The number of new vulnerability submissions has grown 263% between 2020 and 2025. In just the first three months of 2026, submissions are running nearly one-third higher than the same period last year. NIST processed nearly 42,000 CVEs in 2025 — 45% more than any previous year — and it still isn't enough.
"We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions." — NIST, April 15, 2026
Going forward, NIST will only fully document vulnerabilities that meet specific priority criteria — mainly those already confirmed to be actively exploited, and those affecting government or critical infrastructure software. Everything else will still be listed, but without severity scores, without details on which products are affected, and without the context that makes a CVE entry actionable.
Security experts are forecasting more than 50,000 new CVEs in 2026 alone — a record. And with AI tools increasingly being used to find vulnerabilities automatically, that number is expected to keep climbing.
The 13-year flaw that nobody knew existed
The same week NIST made this announcement, CISA confirmed that attackers are actively exploiting a vulnerability in Apache ActiveMQ — a piece of software used in thousands of business systems worldwide. The flaw had been sitting undetected for 13 years before it was discovered. According to security researchers, it had been "hiding in plain sight" since 2013.
This is not an isolated case. It's a pattern. Vulnerabilities sit undetected for years. By the time they're discovered and documented, attackers may already be using them. And now, with the agency responsible for documenting these flaws officially overwhelmed, the gap between discovery and actionable guidance is going to widen.
A vulnerability in software your business uses could be discovered today. It could affect your systems. It could even be actively exploited. And under NIST's new model, there may be no CVSS severity score, no affected product list, and no clear documentation to alert your IT team — because it didn't meet the priority threshold for full enrichment.
Why the volume is exploding
Two forces are driving the surge. The first is the sheer scale of modern software. Businesses today run on dozens of SaaS tools, cloud platforms, operating systems, browser extensions, plugins, and applications — each with their own code, each capable of containing flaws. The more software exists, the more vulnerabilities exist.
The second is speed. Automated vulnerability-scanning tools — increasingly powered by the same AI technology that attackers are using — are finding flaws faster than human researchers ever could. In the first 100 days of 2026, security researchers have already tracked roughly the same number of open-source vulnerabilities as in all of 2025. The rate is accelerating, not stabilising.
"The result is a widening gap between the volume of vulnerabilities being disclosed and the amount of context defenders have available to evaluate them. That gap doesn't disappear just because enrichment becomes more selective." — VulnCheck VP of Security Research
What this means for Ontario businesses
For years, the standard advice was simple: apply patches when they come out and you'll be protected. That advice is still correct — but it's no longer sufficient on its own. Here's why.
With CrowdStrike's 2026 Global Threat Report putting average attacker breakout time at just 29 minutes, the window between a patch being released and attackers attempting to exploit unpatched systems is measured in hours. Automated patch management — not "we'll get to it next week" — is now the only viable approach.
For businesses relying on basic IT tools that pull from the NVD, a significant portion of vulnerabilities will now arrive without severity scores or product details. Your IT provider needs to use multiple intelligence sources — not just NIST — to maintain full visibility of what's relevant to your systems.
The 13-year Apache flaw is a reminder that vulnerabilities don't announce themselves. The most dangerous flaws are the ones nobody has found yet. This is why layered security — network monitoring, endpoint protection, access controls, and backups — matters as much as patching. You need protection that works even before a patch exists.
The volume of vulnerabilities is only going to grow. Businesses that patch reactively — waiting for something to break, or for a newsletter to tell them there's a problem — are going to fall further and further behind. The only viable model now is continuous, proactive monitoring by people who are watching this full time.
The bottom line
NIST's announcement is not a crisis. It's a reality check. The cybersecurity landscape has grown so complex, so fast, that even the government agencies designed to track it are struggling to keep pace. That doesn't mean businesses are defenceless — it means the bar for what "good IT management" looks like has risen.
The businesses that will navigate 2026 safely are the ones with someone watching their systems every day — not just when something breaks. Someone who patches promptly, monitors continuously, and has the tools and intelligence sources to catch what NIST can no longer fully document.
That's what 247Techify does for small and medium businesses across Ontario. If you'd like to know whether your business is keeping pace with the current threat landscape, a free IT review is the fastest place to start.