The National Institute of Standards and Technology (NIST) has announced changes to the way we handle cybersecurity risks and exposures (CVEs) listed in the National Vulnerability Database (NVD), saying it will only notify those who meet certain conditions due to the explosion of CVE deployments.
“CVEs that do not meet those criteria will still be listed on the NVD list but will not be automatically upgraded by NIST,” he said. “This change is driven by the increase in CVE deployments, which increased by 263% between 2020 and 2025. We don’t expect this trend to stop anytime soon.”
The priority criteria specified by NIST, which came into effect on April 15, 2026, are as follows –
- CVEs appear in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
- Software CVEs are used by the federal government.
- Critical software CVEs as defined by Executive Order 14028: this includes software that is designed to run with elevated privilege or managed privileges, has exclusive access to communications or computing resources, controls access to data or operating technology, and operates outside the normal boundaries of trust and elevated access.
Any CVE submission that does not meet these limits will be marked as “Unplanned.” The idea, says NIST, is to focus on CVEs that have the greatest potential for widespread impact.
“Although CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the priority categories,” it added.
NIST said CVE deployments during the first three months of 2026 were nearly one-third higher than last year, and it is working faster than ever to enrich deployments. It also said it enriched nearly 42,000 CVEs by 2025, which was 45% more than any previous year.
In cases where a high-impact CVE is scheduled as unscheduled, users have the option to request an update by emailing “nvd@nist[.]gov.”NIST is expected to review those requests and schedule CVEs for improvement as they become applicable.
Changes have been made to various other aspects of NVD operations. This includes –
- NIST will no longer be able to assign a different severity score for a CVE when the CVE Numbering Authority has already assigned a severity score.
- A modified CVE will only be reanalyzed if it “materially affects” the enrichment data. Users can request specific CVEs to be re-evaluated by sending an email to the same address listed above.
- All non-rich CVEs currently overdue with an NVD publication date prior to March 1, 2026, will be moved to the “Unplanned” category. This does not apply to CVEs already in the KEV catalog.
- NIST has updated the CVE status labels and descriptions, as well as the NVD dashboard, to accurately display the status of all CVEs and other statistics in real time.
“The announcement from NIST is not too surprising, as they have previously telegraphed an intention to move to a ‘risk-based’ prioritization model to improve CVE,” Caitlin Condon, vice president of security research at VulnCheck, said in a statement shared with Hacker News.
“On the positive side, NIST is clearly and publicly setting the public’s expectations in the midst of a large and growing increase in new vulnerabilities. On the other hand, a large part of the weakness now appears to be no clear way to enrich organizations that rely on NIST as their authoritative (or only) source of CVE enrichment data.”
Data from a cybersecurity company shows that there are still about 10,000 risks from 2025 without a CVSS score. NIST is estimated to have enriched 14,000 ‘CVE-2025’ vulnerabilities, accounting for approximately 32% of the 2025 CVE population.
“This announcement reinforces what we already know: We no longer live in a world where exploiting new vulnerabilities is a feasible or viable strategy,” Condon said.
“Even without the discovery of AI-driven vulnerabilities that accelerate the volume of CVE and verification challenges, the threat climate requires, without a doubt, faster machine-based methods of vulnerability identification and enrichment, and a truly global view of risk that acknowledges the interconnected, interdependent nature of the system – behind a global software attack. If we put ourselves first, the adversaries will put us first.”
David Lindner, Contrast Security’s chief information security officer, said NIST’s decision to prioritize high-impact vulnerabilities marks the end of an era where defenders could use a single government-controlled database to assess security risks, forcing organizations to turn to a more proactive approach to threat intelligence-driven risk management.
“Modern defenders must move beyond the noise of absolute CVE volume and instead focus their limited resources on CISA KEV inventory and exploit metrics,” said Lindner.
“While this change may disrupt the workflow of legacy audits, it ultimately inflames the industry by demanding that we prioritize actual exposure over theoretical complexity. Relying on a select set of potentially actionable data is more effective for national resilience than maintaining a comprehensive but unmanageable archive of all minor bugs.”
