π―NIST is stopping the detailed analysis of less serious security flaws because they are getting too many reports. They will now focus only on the most dangerous vulnerabilities to help keep systems safer.
The Flaw
The National Institute of Standards and Technology (NIST) has announced a significant operational change regarding the National Vulnerability Database (NVD). Effective April 15, 2026, NIST will stop assigning severity scores to non-priority vulnerabilities as a response to a staggering 263% increase in vulnerability submissions since 2020. This decision was formally communicated during the VulnCon26 conference in Scottsdale, Arizona, by NIST computer scientist Harold Booth, who highlighted the agency's struggle to keep pace with the influx of reported Common Vulnerabilities and Exposures (CVEs).
What's at Risk
NIST will now prioritize the analysis and enrichment of vulnerabilities that meet specific criteria: those included in CISAβs Known Exploited Vulnerabilities (KEV) catalog, those affecting U.S. federal government software, and those classified as critical under Executive Order 14028. Vulnerabilities that do not meet these criteria will be categorized as "Not Scheduled," meaning they will not receive additional analysis or severity ratings from NIST, although they will still be listed in the NVD.
Patch Status
While the NVD will continue to list all submitted CVEs, the lack of enrichment for lower-priority vulnerabilities raises concerns about potential high-impact vulnerabilities slipping through the cracks. Users can still request enrichment for any unscheduled CVEs by contacting NIST directly at nvd@nist.gov.
Immediate Actions
NIST's new approach aims to streamline its processes and focus resources on vulnerabilities with the greatest potential for widespread impact. This operational shift comes as the NVD enriched nearly 42,000 CVEs in 2025 alone, a 45% increase from previous years, but is now unable to manage the growing backlog effectively. Experts forecast that the number of reported CVEs could reach as high as 70,135 by the end of 2026, driven in part by advancements in automated vulnerability discovery tools, including those utilizing generative AI models. Booth acknowledged the need for a more efficient system and indicated that the NVD will also implement clearer status labels for CVEs to enhance user understanding of their processing status.
This change in policy represents a critical pivot in how NIST manages vulnerability data, emphasizing a risk-based approach to cybersecurity that prioritizes vulnerabilities with the highest potential for exploitation.
NIST's shift towards a risk-based approach reflects the challenges faced by cybersecurity agencies in managing an unprecedented volume of vulnerabilities, highlighting the need for prioritization in vulnerability management.
