The Nationwide Institute of Requirements and Expertise (NIST) has introduced adjustments to the way in which it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its Nationwide Vulnerability Database (NVD), stating it is going to solely enrich those who fulfil sure circumstances owing to an explosion in CVE submissions.
“CVEs that don’t meet these standards will nonetheless be listed within the NVD however won’t mechanically be enriched by NIST,” it stated. “This alteration is pushed by a surge in CVE submissions, which elevated 263% between 2020 and 2025. We don’t count on this development to let up anytime quickly.”
The prioritization standards outlined by NIST, which went into impact on April 15, 2026, are as follows –
- CVEs showing within the U.S. Cybersecurity and Infrastructure Safety Company’s (CISA) Recognized Exploited Vulnerabilities (KEV) catalog.
- CVEs for software program used throughout the federal authorities.
- CVEs for vital software program as outlined by Government Order 14028: this contains software program that is designed to run with elevated privilege or managed privileges, has privileged entry to networking or computing sources, controls entry to information or operational expertise, and operates exterior of regular belief boundaries with elevated entry.
Any CVE submission that does not meet these thresholds will likely be marked as “Not Scheduled.” The concept, NIST stated, is to deal with CVEs which have the utmost potential for widespread impression.
“Whereas CVEs that don’t meet these standards might have a big impression on affected programs, they typically don’t current the identical degree of systemic danger as these within the prioritized classes,” it added.
NIST stated the CVE submissions through the first three months of 2026 are almost one-third greater than they had been final 12 months, and it is working quicker than ever to counterpoint the submissions. It additionally stated it enriched almost 42,000 CVEs in 2025, which was 45% greater than any prior 12 months.
In instances the place a high-impact CVE has been categorized as unscheduled, customers have the choice to request enrichment by sending an e-mail to “nvd@nist[.]gov.”NIST is anticipated to evaluate these requests and schedule the CVEs for enrichment as relevant.
Adjustments have additionally been instituted for varied different features of the NVD operations. These embody –
- NIST will now not routinely present a separate severity rating for a CVE the place the CVE Numbering Authority has already supplied a severity rating.
- A modified CVE will likely be reanalyzed provided that it “materially impacts” the enrichment information. Customers can request particular CVEs to be reanalyzed by sending an e-mail to the identical handle listed above.
- All unenriched CVEs at the moment in backlog with an NVD publish date sooner than March 1, 2026, will likely be moved into the “Not Scheduled” class. This doesn’t apply to CVEs which can be already within the KEV catalog.
- NIST has up to date the CVE standing labels and descriptions, in addition to the NVD Dashboard, to precisely mirror the standing of all CVEs and different statistics in actual time.
“The announcement from NIST does not come as a significant shock, given they’ve beforehand telegraphed intent to maneuver to a ‘risk-based’ prioritization mannequin for CVE enrichment,” Caitlin Condon, vp of safety analysis at VulnCheck, stated in an announcement shared with The Hacker Information.
“On the plus facet, NIST is clearly and publicly setting expectations for the group amid an enormous and escalating rise in new vulnerabilities. However, a good portion of vulnerabilities now seem to haven’t any clear path to enrichment for organizations counting on NIST as their authoritative (or solely) supply of CVE enrichment information.”
Information from the cybersecurity firm exhibits that there are nonetheless roughly 10,000 vulnerabilities from 2025 with no CVSS rating. NIST is estimated to have enriched 14,000 ‘CVE-2025’ vulnerabilities, accounting for about 32% of the 2025 CVE inhabitants.
“This announcement underscores what we already know: We now not dwell in a world the place guide enrichment of recent vulnerabilities is a possible or efficient technique,” Condon stated.
“Even with out AI-driven vulnerability discovery accelerating CVE quantity and validation challenges, right now’s risk local weather unequivocally calls for distributed, machine-speed approaches to vulnerability identification and enrichment, together with a genuinely world perspective on danger that acknowledges the interconnected, interdependent nature of the worldwide software program ecosystem – and the attackers who goal it. In spite of everything, what we do not prioritize for ourselves, adversaries will prioritize for us.”
David Lindner, chief data safety officer of Distinction Safety, stated NIST’s determination to solely prioritize high-impact vulnerabilities marks the tip of an period the place defenders may leverage a single government-managed database to evaluate safety dangers, forcing organizations to pivot to a proactive strategy to danger administration that is pushed by risk intelligence.
“Fashionable defenders should transfer past the noise of complete CVE quantity and as an alternative focus their restricted sources on the CISA KEV record and exploitability metrics,” Lindner stated.
“Whereas this transition might disrupt legacy auditing workflows, it in the end matures the trade by demanding that we prioritize precise publicity over theoretical severity. Counting on a curated subset of actionable information is much more practical for nationwide resilience than sustaining a complete however unmanageable archive of each minor bug.”
