The National Institute of Standards and Technology will stop assigning severity scores to non-critical risks due to the increased workload from increasing volumes of submissions.
Starting April 15, the service will only analyze and provide additional information (eg, severity rating, product lists) on security issues that meet certain criteria related to the risk they cause.
The National Vulnerability Database (NVD) will still list all submitted vulnerabilities, but those considered to be of low priority will only have a severity rating from the CVE Numbering Authority (CNA) that we have tested and submitted.
In an announcement this week, the federal agency said it would only provide additional information on risks that meet one of the following criteria:
- they are in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
- affects US federal government software
- include critical software as per Executive Order 14028
NIST explained that this decision was driven by the large number of shipments, which grew by 263% recently and continued to accelerate through 2026. The organization envisioned 42,000 CVEs by 2025, but will no longer be able to keep up with the growing volume.
NIST NVD is a public, centralized database of known software and hardware vulnerabilities, which also provides additional descriptions and analysis beyond the unique identifiers (CVE IDs) provided by CNAs, such as vendors and the non-profit organization MITER Corporation.
The point of enriching vulnerability information is to make CVE entries useful for risk management, including providing severity scores, identifying affected product versions, isolating vulnerabilities, and providing links to related advice, patches, or research.
The NIST NVD is used worldwide by security researchers, software vendors, government agencies, IT professionals, journalists, and general users who want more information about a particular security issue.
“All submitted CVEs will still be added to the NVD. However, those that do not meet the above criteria will be classified as ‘Unscheduled,'” NIST explained.
“This will allow us to focus on CVEs that have the greatest potential for widespread impact. Although CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in priority categories.”
NIST acknowledges that the new rules allow certain CVEs with the potential for significant impact to pass. For this reason, the agency accepts requests to enrich “any critical CVEs” via e-mail messages to ‘nvd@nist.gov.’
Lack of enrichment or significant delays have been seen since 2024, but the organization has now officially announced that it will focus on the most important entries.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
