The Nationwide Institute of Requirements and Know-how will cease assigning severity scores to lower-priority vulnerabilities as a result of rising workload from rising submission volumes.
Beginning April 15, the service will solely analyze and supply extra particulars (e.g., severity score, product lists) for security points that meet particular standards associated to the chance they pose.
The Nationwide Vulnerability Database (NVD) will nonetheless record all submitted vulnerabilities, however these thought-about low precedence may have a severity score solely from the CVE Numbering Authority (CNA) that evaluated and submitted it.
In an announcement this week, the non-regulatory federal company mentioned it would solely present extra particulars for vulnerabilities that meet one of many following standards:
- are in CISA’s Recognized Exploited Vulnerabilities (KEV) catalog
- have an effect on the U.S. federal authorities software program
- contain crucial software program as per Govt Order 14028
NIST defined that the choice was pushed by the massive variety of submissions, which grew by 263% not too long ago and continued to speed up in 2026. The group enriched 42,000 CVEs in 2025, however it could actually not sustain with the growing quantity.
NIST NVD is a public, centralized database of identified software program and {hardware} vulnerabilities, which additionally gives extra descriptions and analyses on high of the distinctive identifiers (CVE IDs) assigned by CNAs, akin to distributors and the not-for-profit The MITRE Company.
The purpose of enriching vulnerability particulars is to make CVE entries usable for threat administration, together with assigning severity scores, figuring out affected product variations, classifying weaknesses, and offering hyperlinks to advisories, patches, or associated analysis.
NIST NVD is used universally by security researchers, software program distributors, authorities companies, IT professionals, journalists, and common customers looking for extra details about a particular security problem.
“All submitted CVEs will nonetheless be added to the NVD. Nevertheless, these that don’t meet the standards above shall be categorized as “Not Scheduled,” explains NIST.
“This may permit us to concentrate on CVEs with the best potential for widespread influence. Whereas CVEs that don’t meet these standards could have a big influence on affected methods, they typically don’t current the identical stage of systemic threat as these within the prioritized classes.”
NIST admits that the brand new guidelines permit some probably high-impact CVE slip by. Because of this, the company accepts enrichment requests for “any lowest precedence CVEs” through electronic mail messages at ‘nvd@nist.gov.’
The shortage of enrichment or notable delays was noticeable since 2024, however the group has now formally declared that it’ll concentrate on an important entries.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
