The Nationwide Institute of Requirements and Expertise (NIST) has introduced modifications to the way in which it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its Nationwide Vulnerability Database (NVD), stating it’ll solely enrich those who fulfil sure circumstances owing to an explosion in CVE submissions.
“CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST,” it stated. “This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon.”
The prioritization standards outlined by NIST, which went into impact on April 15, 2026, are as follows –
- CVEs showing within the U.S. Cybersecurity and Infrastructure Safety Company’s (CISA) Identified Exploited Vulnerabilities (KEV) catalog.
- CVEs for software program used throughout the federal authorities.
- CVEs for crucial software program as outlined by Government Order 14028: this contains software program that is designed to run with elevated privilege or managed privileges, has privileged entry to networking or computing assets, controls entry to knowledge or operational expertise, and operates outdoors of regular belief boundaries with elevated entry.
Any CVE submission that does not meet these thresholds will likely be marked as “Not Scheduled.” The concept, NIST stated, is to concentrate on CVEs which have the utmost potential for widespread affect.
“While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories,” it added.
NIST stated the CVE submissions in the course of the first three months of 2026 are almost one-third larger than they have been final 12 months, and it is working sooner than ever to complement the submissions. It additionally stated it enriched almost 42,000 CVEs in 2025, which was 45% greater than any prior 12 months.
In circumstances the place a high-impact CVE has been categorized as unscheduled, customers have the choice to request enrichment by sending an e-mail to “nvd@nist[.]gov.” NIST is predicted to evaluation these requests and schedule the CVEs for enrichment as relevant.
Modifications have additionally been instituted for varied different points of the NVD operations. These embrace –
- NIST will now not routinely present a separate severity rating for a CVE the place the CVE Numbering Authority has already offered a severity rating.
- A modified CVE will likely be reanalyzed provided that it “materially impacts” the enrichment knowledge. Customers can request particular CVEs to be reanalyzed by sending an e-mail to the identical deal with listed above.
- All unenriched CVEs presently in backlog with an NVD publish date sooner than March 1, 2026, will likely be moved into the “Not Scheduled” class. This doesn’t apply to CVEs which can be already within the KEV catalog.
- NIST has up to date the CVE standing labels and descriptions, in addition to the NVD Dashboard, to precisely mirror the standing of all CVEs and different statistics in actual time.
“The announcement from NIST doesn’t come as a major surprise, given they’ve previously telegraphed intent to move to a ‘risk-based’ prioritization model for CVE enrichment,” Caitlin Condon, vice chairman of safety analysis at VulnCheck, stated in a press release shared with The Hacker Information.
“On the plus side, NIST is clearly and publicly setting expectations for the community amid a huge and escalating rise in new vulnerabilities. On the other hand, a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative (or only) source of CVE enrichment data.”
Knowledge from the cybersecurity firm reveals that there are nonetheless roughly 10,000 vulnerabilities from 2025 with no CVSS rating. NIST is estimated to have enriched 14,000 ‘CVE-2025’ vulnerabilities, accounting for about 32% of the 2025 CVE inhabitants.
“This announcement underscores what we already know: We no longer live in a world where manual enrichment of new vulnerabilities is a feasible or effective strategy,” Condon stated.
“Even without AI-driven vulnerability discovery accelerating CVE volume and validation challenges, today’s threat climate unequivocally demands distributed, machine-speed approaches to vulnerability identification and enrichment, along with a genuinely global perspective on risk that acknowledges the interconnected, interdependent nature of the worldwide software ecosystem – and the attackers who target it. After all, what we don’t prioritize for ourselves, adversaries will prioritize for us.”
David Lindner, chief data safety officer of Distinction Safety, stated NIST’s resolution to solely prioritize high-impact vulnerabilities marks the tip of an period the place defenders may leverage a single government-managed database to evaluate safety dangers, forcing organizations to pivot to a proactive method to threat administration that is pushed by menace intelligence.
“Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics,” Lindner stated.
“While this transition may disrupt legacy auditing workflows, it ultimately matures the industry by demanding that we prioritize actual exposure over theoretical severity. Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug.”
