The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions.
"CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST," it said. "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon."
The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows -
- CVEs appearing in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
- CVEs for software used within the federal government.
- CVEs for critical software as defined by Executive Order 14028: this includes software that's designed to run with elevated privilege or managed privileges, has privileged access to networking or computing resources, controls access to data or operational technology, and operates outside of normal trust boundaries with elevated access.
Any CVE submission that doesn't meet these thresholds will be marked as "Not Scheduled." The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact.
"While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories," it added.
NIST said the CVE submissions during the first three months of 2026 are nearly one-third higher than they were last year, and it's working faster than ever to enrich the submissions. It also said it enriched nearly 42,000 CVEs in 2025, which was 45% more than any prior year.
In cases where a high-impact CVE has been categorized as unscheduled, users have the option to request enrichment by sending an email to "nvd@nist[.]gov."NIST is expected to review those requests and schedule the CVEs for enrichment as applicable.
Changes have also been instituted for various other aspects of the NVD operations. These include -
- NIST will no longer routinely provide a separate severity score for a CVE where the CVE Numbering Authority has already provided a severity score.
- A modified CVE will be reanalyzed only if it "materially impacts" the enrichment data. Users can request specific CVEs to be reanalyzed by sending an email to the same address listed above.
- All unenriched CVEs currently in backlog with an NVD publish date earlier than March 1, 2026, will be moved into the "Not Scheduled" category. This does not apply to CVEs that are already in the KEV catalog.
- NIST has updated the CVE status labels and descriptions, as well as the NVD Dashboard, to accurately reflect the status of all CVEs and other statistics in real time.
"The announcement from NIST doesn't come as a major surprise, given they've previously telegraphed intent to move to a 'risk-based' prioritization model for CVE enrichment," Caitlin Condon, vice president of security research at VulnCheck, said in a statement shared with The Hacker News.
"On the plus side, NIST is clearly and publicly setting expectations for the community amid a huge and escalating rise in new vulnerabilities. On the other hand, a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative (or only) source of CVE enrichment data."
Data from the cybersecurity company shows that there are still approximately 10,000 vulnerabilities from 2025 without a CVSS score. NIST is estimated to have enriched 14,000 'CVE-2025' vulnerabilities, accounting for about 32% of the 2025 CVE population.
"This announcement underscores what we already know: We no longer live in a world where manual enrichment of new vulnerabilities is a feasible or effective strategy," Condon said.
"Even without AI-driven vulnerability discovery accelerating CVE volume and validation challenges, today's threat climate unequivocally demands distributed, machine-speed approaches to vulnerability identification and enrichment, along with a genuinely global perspective on risk that acknowledges the interconnected, interdependent nature of the worldwide software ecosystem – and the attackers who target it. After all, what we don't prioritize for ourselves, adversaries will prioritize for us."
David Lindner, chief information security officer of Contrast Security, said NIST's decision to only prioritize high-impact vulnerabilities marks the end of an era where defenders could leverage a single government-managed database to assess security risks, forcing organizations to pivot to a proactive approach to risk management that's driven by threat intelligence.
"Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics," Lindner said.
"While this transition may disrupt legacy auditing workflows, it ultimately matures the industry by demanding that we prioritize actual exposure over theoretical severity. Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug."
