Inspector general finds NIST mistakes have made vulnerability database ineffective
NIST’s National Vulnerability Database (NVD) backlog mushroomed from 13,000 unprocessed security vulnerabilities in February 2024 to more than 27,000 by the end of 2025, “undermining the NVD’s utility and public trust," according to an inspector general report.
A key cybersecurity vulnerability database run by the National Institute of Standards and Technology (NIST) has been crippled by mismanagement and other strategic failings, leading to an extreme backlog, according to a new internal watchdog report.
NIST’s National Vulnerability Database (NVD) backlog mushroomed from 13,000 unprocessed security vulnerabilities in February 2024 to more than 27,000 by the end of 2025, “undermining the NVD’s utility and public trust,” according to a report published by the inspector general of the Department of Commerce Tuesday.
The NVD is a critical tool that industry and government cybersecurity workers use to prioritize which cybersecurity vulnerabilities need to be addressed in what order. The worsening backlog first became a serious issue in February 2024 when NIST stopped paying the contractors who process the security flaws.
Source: https://therecord.media/nist-mistakes-vulnerability-database-inspector-general
Related breach coverage
- U.S. CISA adds Oracle WebLogic flaw to its Known Exploited Vulnerabilities catalog2026-06-02
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Oracle WebLogic flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Palo Alto Networks PAN-OS flaw, tracked as CVE-2024-21182 (CVSS score of 7.5), to its Known Exploited Vulnerabilities (KEV) catalog. The CVE-2024-21182 flaw is an easily exploitable vulnerability affecting Oracle WebLogic […]
- Romanian national sentenced to more than 4 years for hacking Oregon government systems2026-05-27
Dragomir was arrested in Romania in November 2024 and brought to the U.S. last year to face charges for hacking into the network belonging to Oregon’s Office of Emergency Management.
- Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites2026-05-25
Attackers are exploiting the patched Ghost CMS flaw CVE-2026-26980, compromising over 700 unpatched sites, including universities. Threat actors are actively exploiting a security flaw, tracked as CVE-2026-26980, in Ghost CMS that was fixed months ago in real attacks against unpatched websites. According to Qianxin, the campaign has already affected more than 700 sites, including well-known organizations and […]
- 340 Million OnlyFans Profiles Allegedly Rebuilt from Leaks2026-05-25
A hacker is selling a 340M-strong OnlyFans-linked dataset built by correlating old breaches and public data, not by hacking OnlyFans directly. A threat actor is adverertising a purported database containing data of 340 million OnlyFans users, but the available evidence points to something less dramatic than a direct breach. According to HackRead, which reported the […]