NIST recently announced changes to how it handles cybersecurity vulnerabilities and exposures (CVEs) included in the National Vulnerability Database (NVD). 

What’s Changing?

Previously, the NVD program attempted to analyze all CVEs in order to provide details, such as severity scores and product lists. With the new changes, NIST will still list all CVEs in the NVD, but only those that meet the prioritization criteria will be immediately enriched, or listed with added details. 

Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, says, “To me, this change represents a welcome transition from a Universal Vulnerability Library to a more refined Risk-Based Vulnerability Triage model.” 

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, adds, “What NIST is acknowledging is something the research community has understood for years: you cannot centralize vulnerability triage at this volume and expect it to hold. The signal that actually drives remediation priority has always come from real-world exploitability, not database metadata, and that requires human researchers with adversarial instincts working continuously against live environments. The next generation of vulnerability programs will be built around that kind of active, distributed signal, not quarterly enrichment cycles.”

Understanding the New Prioritization Criteria

As of Apr. 15, NIST is now prioritizing the following CVEs for enrichment: 

• CVEs in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
• CVEs for software used by/within the federal government
• CVEs for critical software (defined by Executive Order 14028)

While all CVEs submitted will continue to be added to the NVD, those that do not meet the above criteria will be classified as “Lowest Priority - not scheduled for immediate enrichment.”

Dani states, “This change will significantly impact solutions, specifically hardcoded tools, that provide a verdict based on the NVD’s Common Platform Enumeration (CPE) strings. This could lead to a situation where a critical CVE does not list the CPE information as it has not been enriched by the NVD and no alerts will be generated for such vulnerability. 

“I also feel that this move will force the industry to move away from ‘Patch Everything’ toward ‘Patch What Matters.’ Just the burden of determining its severity and relevance now falls entirely on the individual organization. This can be offset when CNAs provide the additional metadata as they understand the architecture of their own products better than a NIST analyst. However, there might be situations where a vendor downplaying a vulnerability in their product for PR purposes. 

“Overall, I will miss the loss of a neutral third-umpire since NIST acted as an unbiased third party up until now.” 

Why the Change? 

The purpose behind this change is to focus attention on the CVEs with the highest chances of causing widespread impact. The change is also prompted by a “surge in CVE submissions,” according to NIST’s released statement. The trend in rising submission, “which increased 263% between 2020 and 2025,” is not expected to lessen in the near future. CVE submissions within the first three months of 2026 have been approximately one-third higher than the same time frame in 2025. 

“We are working faster than ever,” NIST’s statement reads. “We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions. Therefore, we are instituting a new approach. The changes described below will allow us to focus on the most critical CVEs while being transparent about how we are managing our current workload. They will also allow us to stabilize the program while we develop the automated systems and workflow enhancements required for long-term sustainability.” 

Vincenzo Iozzo, CEO and Co-Founder at SlashID, explains, “We’ve seen a dramatic spike in AI-reported valid vulnerabilities. According to reports, last year alone, the number of reported vulnerabilities more than doubled. As a result, the new NIST policy is sensible and the categories still covered are the most critical ones. Further, LLMs are approaching the point where they are good enough to allow individual organizations to prioritize and contextualize vulnerabilities in their environment reducing the need for enriched CVEs.” 

“We recognize that these changes will affect our users,” NIST stated. “However, this risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community. This shift also allows us to dedicate the resources required to develop the automated systems and workflow enhancements that will ensure the program’s long-term sustainability.”