NIST Restricts CVE Enrichment Following 263% Surge in Submissions

The National Institute of Standards and Technology (NIST) has implemented significant changes to its management of cybersecurity vulnerabilities and exposures (CVEs) within its National Vulnerability Database (NVD). This decision comes in response to a staggering 263% increase in CVE submissions from 2020 to 2025, prompting NIST to refine its enrichment process to focus on vulnerabilities that meet specific criteria.

NIST has clarified that while all CVEs will continue to be listed in the NVD, only those that fulfill certain conditions will be enriched. This strategic shift aims to streamline resources and prioritize vulnerabilities with the greatest potential for widespread impact. The new guidelines took effect on April 15, 2026.

New Prioritization Criteria

The prioritization criteria established by NIST are as follows:

1. Inclusion in CISA’s KEV Catalog: CVEs that appear in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog will receive enrichment.

2. Federal Government Software: CVEs associated with software utilized within the federal government will be prioritized.

3. Critical Software Definition: CVEs for software classified as critical under Executive Order 14028 will also be enriched. This includes software designed to operate with elevated privileges, manage access to networking resources, and control data or operational technology.

Any CVEs that do not meet these criteria will be marked as “Not Scheduled.” NIST has emphasized that while these unenriched CVEs may still pose risks, they do not present the same level of systemic risk as those prioritized.

Surge in CVE Submissions

NIST reported that CVE submissions in the first quarter of 2026 are nearly one-third higher than the previous year. In 2025, NIST enriched approximately 42,000 CVEs, marking a 45% increase from any prior year. This rapid growth in submissions has necessitated a reevaluation of how NIST manages and enriches CVEs.

For high-impact CVEs categorized as unscheduled, users can request enrichment by contacting NIST directly. The agency will review these requests and schedule the CVEs for enrichment as appropriate.

Operational Changes in NVD

In addition to the new enrichment criteria, NIST has introduced several operational changes to the NVD:

• NIST will no longer routinely assign a separate severity score for CVEs that already have a score from the CVE Numbering Authority.
• A modified CVE will only be reanalyzed if it materially impacts the enrichment data. Users can request specific CVEs for reanalysis through the same contact method.
• All unenriched CVEs in backlog with a publish date earlier than March 1, 2026, will be categorized as “Not Scheduled,” except for those already in the KEV catalog.
• NIST has updated the CVE status labels and descriptions, along with the NVD Dashboard, to provide real-time status updates.

Industry Reactions

The announcement from NIST aligns with previous indications of a shift toward a risk-based prioritization model for CVE enrichment. Caitlin Condon, Vice President of Security Research at VulnCheck, noted that while the changes set clear expectations for the cybersecurity community, they also leave many vulnerabilities without a clear path to enrichment. Approximately 10,000 vulnerabilities from 2025 still lack a CVSS score, with NIST having enriched only about 32% of the 2025 CVE population.

Condon emphasized that the current threat landscape demands a more agile approach to vulnerability identification and enrichment. The interconnected nature of the global software ecosystem necessitates a comprehensive understanding of risk that transcends traditional methods.

David Lindner, Chief Information Security Officer at Contrast Security, remarked that NIST’s decision to focus solely on high-impact vulnerabilities marks a pivotal shift in how organizations assess security risks. He urged modern defenders to concentrate their resources on the CISA KEV list and exploitability metrics, rather than being overwhelmed by the sheer volume of CVEs.

Lindner also pointed out that this transition, while potentially disruptive to legacy auditing workflows, ultimately encourages a more mature industry approach. By prioritizing actionable data over theoretical severity, organizations can enhance national resilience against cyber threats.

As the cybersecurity landscape continues to evolve, NIST’s refined approach to CVE enrichment reflects the pressing need for effective risk management strategies. The agency’s commitment to addressing the challenges posed by an increasing volume of vulnerabilities underscores the importance of focusing on those that pose the greatest risk to systems and infrastructure.

For further details, refer to the original reporting source: The Hacker News.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.