HomeIntelligenceBrief
BREACH BRIEF🟠 High Advisory

NIST Vulnerability Database Backlog Swells to 27,000 Unprocessed Flaws, Threatening Timely Patch Prioritization

An Inspector General report reveals that NIST’s National Vulnerability Database now has over 27,000 unprocessed vulnerabilities due to contractor payment delays and poor coordination with CISA, eroding trust in a core cyber‑risk resource. Third‑party risk managers must reassess reliance on NVD feeds.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 therecord.media
🟠
Severity
High
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
therecord.media

NIST Vulnerability Database Backlog Swells to 27,000 Unprocessed Flaws, Threatening Timely Patch Prioritization

What Happened — An Inspector General report found that the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) backlog grew from ~13,000 unprocessed CVEs in February 2024 to more than 27,000 by the end of 2025. The surge was driven by halted contractor payments, lack of a processing plan, and poor coordination with the Cybersecurity and Infrastructure Security Agency (CISA), resulting in duplicated effort and an estimated $200 k waste.

Why It Matters for TPRM

  • The NVD is a primary source for vulnerability scoring; a stale database lengthens exposure windows for all downstream vendors.
  • Governance failures at a critical public‑sector supplier signal potential supply‑chain risk for organizations that depend on its data.
  • Duplicate work and delayed entries reduce confidence in vulnerability‑management metrics used in third‑party risk assessments.

Who Is Affected — All industries that rely on NVD feeds for patch prioritization, notably technology SaaS, cloud‑infrastructure providers, government contractors, and critical‑infrastructure operators.

Recommended Actions

  • Validate that your vulnerability‑management program does not rely solely on NVD data; incorporate alternative feeds (vendor advisories, private CVE feeds).
  • Engage NIST (or your government liaison) to obtain updated processing timelines and request transparency on backlog remediation.
  • Review internal governance to ensure third‑party data sources are regularly audited for timeliness and completeness.

Technical Notes — The backlog stems from administrative missteps (stopped contractor payments, absent processing roadmap) and a lack of inter‑agency communication, not from a specific software flaw. No CVE identifiers or data‑type breaches are disclosed; the impact is the loss of timely vulnerability metadata. Source: The Record

📰 Original Source
https://therecord.media/nist-mistakes-vulnerability-database-inspector-general

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →