NIST to Stop Rating Non-Priority Flaws Due to Volume Increase

What happened

NIST announced on April 15, 2026 that it will stop enriching lower-priority CVEs in its National Vulnerability Database, limiting detailed analysis to vulnerabilities that meet specific risk-based criteria. Going forward, the agency will only assign severity scores, identify affected products, and provide remediation context for CVEs that appear in CISA’s Known Exploited Vulnerabilities catalog, affect software used by the federal government, or are classified as critical under Executive Order 14028. All submitted CVEs will still be listed in the NVD, but those that do not meet the new criteria will be marked as “Lowest Priority – not scheduled for immediate enrichment” and will rely solely on scores provided by the submitting CVE Numbering Authority rather than independent NIST analysis. The decision was driven by a 263% surge in CVE submissions between 2020 and 2025, with Q1 2026 submissions running approximately one-third higher than the same period last year. NIST enriched nearly 42,000 CVEs in 2025, a 45% increase over any prior year, but said the pace of submissions has outpaced even that record output. All backlogged CVEs with a publish date prior to March 1, 2026 have been moved to the “Not Scheduled” category. FIRST forecasts approximately 59,000 new CVEs will be published in 2026, the first year submissions are expected to cross the 50,000 threshold. NIST acknowledged that the new criteria may not capture every potentially high-impact CVE and is accepting enrichment requests for lower-priority entries via email.

Who is affected

Security teams, software vendors, government agencies, and any organization using the NVD as a primary source for vulnerability prioritization and patch management are directly affected. Vulnerabilities outside the three prioritized categories will no longer carry independent NIST severity scores or enriched product data, shifting the burden of risk assessment onto submitter-provided ratings and third-party sources.

Why CISOs should care

Security programs that rely on NVD enrichment as a core input for patch prioritization now have a structural gap. NIST itself acknowledged that the new criteria may miss high-impact CVEs, and security researchers have noted that thousands of actively exploited vulnerabilities sit outside CISA’s KEV catalog. With CVE volume accelerating and AI-assisted vulnerability discovery tools expected to push submissions higher still, organizations that treat NVD as a sufficient signal for risk decisions face increasing blind spots at precisely the moment the threat landscape is expanding fastest.

3 practical actions

1. Diversify vulnerability intelligence sources: Reduce reliance on NVD as a single source of enrichment data and supplement it with additional vulnerability databases, threat intelligence feeds, and exploit prediction tools that track active exploitation beyond what appears in CISA’s KEV catalog.
2. Review how your vulnerability management program uses CVSS scores: Assess whether your patch prioritization workflow depends on NIST-assigned severity scores for non-KEV CVEs and identify which tools or processes will need alternative data sources now that independent scoring has been scaled back.
3. Flag CVEs critical to your environment for manual enrichment requests: For vulnerabilities affecting your specific product stack that fall outside the new priority criteria, use NIST’s email request process at [email protected] to seek enrichment rather than waiting for it to be scheduled automatically.

For more news about critical software flaws and patching urgency, click Vulnerability to read more.