NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions

Summary

The National Institute of Standards and Technology (NIST) announced a risk-based prioritization model for CVE enrichment in its National Vulnerability Database (NVD) effective April 15, 2026, following a 263% increase in CVE submissions between 2020 and 2025. Under the new criteria, only CVEs appearing in CISA's Known Exploited Vulnerabilities catalog, those affecting federal government software, or critical software as defined by Executive Order 14028 will be automatically enriched; all others will be marked "Not Scheduled." Organizations relying solely on NIST for CVE enrichment now face gaps in coverage and must adopt distributed, threat-driven vulnerability assessment approaches.

Full text

NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Ravie LakshmananApr 17, 2026Vulnerability Management The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST," it said. "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon." The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows - CVEs appearing in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. CVEs for software used within the federal government. CVEs for critical software as defined by Executive Order 14028: this includes software that's designed to run with elevated privilege or managed privileges, has privileged access to networking or computing resources, controls access to data or operational technology, and operates outside of normal trust boundaries with elevated access. Any CVE submission that doesn't meet these thresholds will be marked as "Not Scheduled." The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact. "While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories," it added. NIST said the CVE submissions during the first three months of 2026 are nearly one-third higher than they were last year, and it's working faster than ever to enrich the submissions. It also said it enriched nearly 42,000 CVEs in 2025, which was 45% more than any prior year. In cases where a high-impact CVE has been categorized as unscheduled, users have the option to request enrichment by sending an email to "nvd@nist[.]gov."NIST is expected to review those requests and schedule the CVEs for enrichment as applicable. Changes have also been instituted for various other aspects of the NVD operations. These include - NIST will no longer routinely provide a separate severity score for a CVE where the CVE Numbering Authority has already provided a severity score. A modified CVE will be reanalyzed only if it "materially impacts" the enrichment data. Users can request specific CVEs to be reanalyzed by sending an email to the same address listed above. All unenriched CVEs currently in backlog with an NVD publish date earlier than March 1, 2026, will be moved into the "Not Scheduled" category. This does not apply to CVEs that are already in the KEV catalog. NIST has updated the CVE status labels and descriptions, as well as the NVD Dashboard, to accurately reflect the status of all CVEs and other statistics in real time. "The announcement from NIST doesn't come as a major surprise, given they've previously telegraphed intent to move to a 'risk-based' prioritization model for CVE enrichment," Caitlin Condon, vice president of security research at VulnCheck, said in a statement shared with The Hacker News. "On the plus side, NIST is clearly and publicly setting expectations for the community amid a huge and escalating rise in new vulnerabilities. On the other hand, a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative (or only) source of CVE enrichment data." Data from the cybersecurity company shows that there are still approximately 10,000 vulnerabilities from 2025 without a CVSS score. NIST is estimated to have enriched 14,000 'CVE-2025' vulnerabilities, accounting for about 32% of the 2025 CVE population. "This announcement underscores what we already know: We no longer live in a world where manual enrichment of new vulnerabilities is a feasible or effective strategy," Condon said. "Even without AI-driven vulnerability discovery accelerating CVE volume and validation challenges, today's threat climate unequivocally demands distributed, machine-speed approaches to vulnerability identification and enrichment, along with a genuinely global perspective on risk that acknowledges the interconnected, interdependent nature of the worldwide software ecosystem – and the attackers who target it. After all, what we don't prioritize for ourselves, adversaries will prioritize for us." David Lindner, chief information security officer of Contrast Security, said NIST's decision to only prioritize high-impact vulnerabilities marks the end of an era where defenders could leverage a single government-managed database to assess security risks, forcing organizations to pivot to a proactive approach to risk management that's driven by threat intelligence. "Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics," Lindner said. "While this transition may disrupt legacy auditing workflows, it ultimately matures the industry by demanding that we prioritize actual exposure over theoretical severity. Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CISA, cybersecurity, National Vulnerability Database, NIST, Risk management, Threat Intelligence, vulnerability management Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Entities