The US National Institute for Standards and Technology (NIST) is undergoing changes in how it manages common vulnerabilities and exposures (CVEs) listed in the National Vulnerability Database (NVD) due to a rapidly evolving threat landscape.
In the past, the NVD program focused on analyzing all received CVEs to provide details such as severity scores and affected product lists to assist cyber teams in prioritizing and addressing relevant vulnerabilities. This process was known as ‘enrichment.’ However, moving forward, only CVEs that meet specific criteria will be enriched, with those that do not make the cut still being listed but labeled as lower priority issues.
The surge in CVE submissions, which increased by 263% between 2020 and 2025, has driven this change. NIST anticipates that this trend will continue, with submissions in the first quarter of 2026 already being significantly higher than the same period last year. Despite enriching nearly 42,000 CVEs in 2025, a 45% increase from previous years, NIST is struggling to keep up with the growing submissions, leading to the implementation of a new approach.
These adjustments aim to stabilize the program and provide time to develop new automated systems and workflow enhancements. The new criteria, effective as of April 15th, prioritize CVEs with the potential for widespread impact, focusing on systemic risks. Users can request reviews of lower priority CVEs for enrichment, acknowledging that not all high-impact flaws may be captured by the criteria.
NIST will no longer routinely assign separate severity scores to CVEs already scored by the CVE Numbering Authority, aiming to reduce duplication of effort and concentrate resources. The reanalysis of modified CVEs post-enrichment will now only occur if significant modifications impact the data enrichment. Users can request reviews for specific CVEs as needed.
Addressing a backlog of unenriched CVEs dating back two years, NIST will move all backlogged CVEs with an NVD publish date before March 1, 2026, to the ‘Not Scheduled’ category, considering them for enrichment based on the new criteria. Additionally, NIST is updating CVE status labels and descriptions, as well as making changes to the NVD Dashboard for accurate reporting.
While these changes may impact everyday users, NIST emphasizes the necessity of a risk-based approach to manage the influx of submissions and lay the groundwork for sustainable offerings in the future. Danis Calderone, Principal and CTO at Suzu Labs, expressed support for NIST’s prioritization of key CVEs and highlighted the importance of organizations developing their prioritization frameworks.
In conclusion, NIST’s restructuring reflects the evolving cybersecurity landscape and the need for proactive measures to address vulnerabilities effectively. This shift encourages organizations to take a more personalized approach to vulnerability management and prioritize their security efforts accordingly.
