NIST shifts NVD to a risk-based model as CVE volume keeps climbing
5 min. read 
Published on
The National Institute of Standards and Technology has changed how it handles vulnerabilities in the National Vulnerability Database. NIST said on April 15, 2026, that it will no longer try to enrich every CVE with the same level of analysis and will instead focus on the ones that pose the highest systemic risk.
The change comes after a sharp rise in vulnerability submissions. NIST said CVE submissions increased 263% between 2020 and 2025, and the first three months of 2026 were already nearly one-third higher than the same period a year earlier.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
NIST says the old approach no longer fits the volume it now faces. The agency enriched nearly 42,000 CVEs in 2025, which it said was 45% more than any prior year, but that still did not keep pace with the growing flow of submissions.
NIST will now prioritize the highest-risk CVEs
Under the new model, NIST will focus enrichment work on three groups first. Those include CVEs listed in CISA’s Known Exploited Vulnerabilities Catalog, CVEs affecting software used within the federal government, and CVEs affecting critical software as defined under Executive Order 14028.
NIST said it aims to enrich KEV-listed vulnerabilities within one business day of receipt. That target shows how strongly the agency now wants to focus on flaws that already show evidence of active exploitation or broad government relevance.
Everything else will still appear in the NVD, but not with the same immediate treatment. NIST said CVEs outside those categories will be marked as lowest priority and not scheduled for immediate enrichment, though users can still ask NIST to review specific entries.
What changes for severity scores and modified CVEs
NIST is also cutting duplicate work in severity scoring. If a CVE Numbering Authority already provides a severity score, NIST said it will no longer routinely generate a separate score for that entry.
The agency is also tightening how it handles changes to previously enriched vulnerabilities. Instead of reanalyzing every modified CVE, NIST said it will revisit only those changes that materially affect the enrichment data.
That matters because enrichment has long added the context many defenders rely on, including product data, severity details, and prioritization clues. With that layer now more selective, security teams may need to lean more on vendor advisories, KEV status, and internal risk scoring for lower-priority issues. This last point is an inference based on NIST’s new workflow and the role enrichment has played in practice.
The backlog is now part of the story
NIST also used this announcement to address its long-running backlog. The agency said a significant backlog of unenriched CVEs began building in early 2024 and it has not been able to clear it.
As part of the reset, NIST said it will move all backlogged CVEs with an NVD publish date earlier than March 1, 2026, into the “Not Scheduled” category. It said it may still enrich those older entries later if they match the new priority criteria and resources allow.
NIST added that this backlog does not include KEV Catalog entries, because it has always prioritized those. The agency also said it updated the NVD Dashboard and status labels so users can see CVE status and broader database statistics in real time.
What the new model means in practice
| Area | What NIST said | Why it matters |
|---|---|---|
| Priority CVEs | KEV, federal software, and critical software get first attention | High-impact issues should get faster enrichment |
| Low-priority CVEs | Still published, but not scheduled for immediate enrichment | More entries may appear without full NVD context at first |
| Severity scores | NIST will not routinely duplicate CNA-provided scores | Less duplicated analysis work |
| Modified CVEs | Reanalysis happens only if changes materially affect enrichment | NIST can spend less time on low-value rework |
| Backlog | Older unenriched CVEs before March 1, 2026 move to “Not Scheduled” | Some older records may wait much longer for enrichment |
What security teams should watch now
- Check whether a vulnerability appears in CISA’s KEV Catalog before relying on NVD enrichment timing.
- Expect some newly published CVEs to arrive in NVD without the same immediate depth of analysis.
- Use vendor advisories and internal asset context more aggressively for lower-priority CVEs. This is a practical takeaway from NIST’s stated workflow change.
- Monitor the NVD Dashboard and CVE status labels to track whether a record is undergoing enrichment, modified, or not scheduled.
FAQ
NIST said the volume of CVE submissions grew too quickly for the old model to remain sustainable. The agency cited a 263% increase from 2020 to 2025 and another sharp jump in early 2026.
Yes. NIST said all submitted CVEs will still be added to the NVD, but many will no longer receive immediate enrichment unless they fit the new priority rules or a user requests review.
NIST said it will prioritize CVEs in CISA’s KEV Catalog, CVEs for software used within the federal government, and CVEs for critical software under Executive Order 14028.
NIST said unenriched backlogged CVEs published before March 1, 2026, will move to the “Not Scheduled” category, though the agency may still enrich some later based on risk and available resources.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages