The National Institute of Standards and Technology (NIST) announced changes to how it handles cybersecurity vulnerabilities and exposures (CVEs) listed in the National Vulnerability Database (NVD), saying that due to a sharp increase in CVE submissions, it will enrich only those that meet certain criteria.
“CVEs that do not meet these criteria will continue to be listed in the NVD, but will not be automatically enhanced by NIST,” the report said. “This shift is being driven by a sharp increase in CVE filings, which increased by 263% between 2020 and 2025, and we don’t see this trend slowing down anytime soon.”
The prioritization criteria outlined by NIST, effective April 15, 2026, are:
CVEs are listed in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog. CVE for software used within the federal government. CVE for critical software as defined in Executive Order 14028: This includes software that is designed to run with elevated or managed privileges, has privileged access to networking or computing resources, has controlled access to data or operational technology, and operates outside normal trust boundaries with elevated access.
CVE submissions that do not meet these thresholds are marked as “not scheduled.” The idea, according to NIST, is to focus on CVEs that have the greatest potential for widespread impact.
“CVEs that do not meet these criteria can have a significant impact on affected systems, but generally do not present the same level of system risk as CVEs that are included in priority categories,” it added.
NIST said the number of CVE applications in the first three months of 2026 is up nearly one-third from last year, and it is working faster than ever to enrich its claims. It also said it will strengthen nearly 42,000 CVEs in 2025, an increase of 45% from the previous year.
If a high-impact CVE is classified as unscheduled, users can request enrichment by emailing ‘nvd@nist’.[.]“NIST is expected to consider these requests and schedule CVE enhancements as needed.
Changes have also been made to various other aspects of NVD operation. These include –
NIST will no longer routinely provide a separate severity score for a CVE if the CVE numbering authority already provides a severity score. Changed CVEs will only be reanalyzed if they have a “significant impact” on the enrichment data. Users can request re-analysis of a particular CVE by sending an email to the same address listed above. All unhardened CVEs that are currently in the backlog and have an NVD publication date before March 1, 2026 will be moved to the “Unscheduled” category. This does not apply to CVEs already in the KEV catalog. NIST has updated CVE status labels and descriptions and the NVD dashboard to accurately reflect the status and other statistics of all CVEs in real time.
“This announcement from NIST is not a huge surprise, given that NIST has previously signaled its intention to move to a ‘risk-based’ prioritization model for hardening CVE,” Caitlin Condon, vice president of security research at VulnCheck, said in a statement shared with Hacker News.
“On the positive side, NIST is clearly and publicly setting out its expectations for the community as new vulnerabilities proliferate. On the other hand, for organizations that rely on NIST as the authoritative (or only) source of CVE enrichment data, it appears that a significant portion of vulnerabilities do not have a clear path to enrichment.”
According to data from cybersecurity companies, there will still be approximately 10,000 vulnerabilities without a CVSS score in 2025. NIST estimates that it has hardened 14,000 “CVE-2025” vulnerabilities, representing approximately 32% of the CVE population in 2025.
“This announcement reinforces what we already know: We no longer live in a world where manually hardening new vulnerabilities is a viable or effective strategy,” Condon said.
“Even if AI-driven vulnerability discovery doesn’t accelerate the volume and validation challenges of CVE, today’s threat landscape demands a decentralized, machine-speed approach to vulnerability identification and hardening, and a truly global risk perspective that recognizes the interconnected and interdependent nature of software ecosystems around the world, and the attackers who target them. After all, what we don’t prioritize for ourselves, our adversaries will prioritize for us.”
David Lindner, chief information security officer at Contrast Security, said NIST’s decision to prioritize only high-impact vulnerabilities marks the end of the days when defenders could rely on a single, government-controlled database to assess security risks, forcing organizations to pivot to a proactive approach to risk management based on threat intelligence.
“Modern defenders must move beyond the noise of total CVE volumes and focus their limited resources on CISA’s KEV list and indicators of exploitability,” Lindner said.
“While this shift may disrupt traditional audit workflows, it will ultimately mature the industry by requiring us to prioritize real-world exposure over theoretical seriousness. Relying on a select subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every little bug.”
Source link
