The National Institute of Standards and Technology will stop providing severity scores for lower-priority vulnerabilities, focusing only on critical security issues as submission volumes surge by 263%.
The National Institute of Standards and Technology (NIST) is implementing a significant change to its vulnerability assessment process, announcing that it will no longer assign severity scores to lower-priority security flaws due to an overwhelming increase in submissions. Starting April 15, 2026, NIST's National Vulnerability Database (NVD) will only provide detailed analyses and severity ratings for vulnerabilities that meet specific high-risk criteria.
This strategic shift comes as the volume of reported vulnerabilities has exploded, growing by 263% in recent years with continued acceleration in 2026. Last year alone, NIST enriched 42,000 CVEs, but the agency now acknowledges it can no longer keep pace with the increasing workload.
What Changes for Users
Under the new system, all submitted CVEs will still be added to the NVD, but vulnerabilities not meeting priority criteria will be categorized as "Not Scheduled" for enrichment. These lower-priority entries will only display severity ratings provided by the original CVE Numbering Authority (CNA) that submitted them, rather than NIST's detailed analysis.
The affected vulnerabilities will lack NIST's comprehensive assessments including:
- Detailed severity scoring
- Affected product version identification
- Weakness classification
- Links to advisories and patches
- Related research references
Priority Criteria Defined
NIST will now focus its resources on vulnerabilities that meet at least one of these criteria:
- CISA KEV Catalog: Vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog
- Federal Government Impact: Flaws affecting U.S. federal government software systems
- Critical Software: Issues involving software designated as critical under Executive Order 14028
This approach allows NIST to concentrate on vulnerabilities with the greatest potential for widespread impact while acknowledging that some high-impact CVEs may still slip through the prioritization filters.
Industry Implications
Security researchers and IT professionals who rely on NVD for comprehensive vulnerability assessments will need to adjust their workflows. Organizations may need to supplement NVD data with additional sources for lower-priority vulnerabilities, potentially increasing the complexity of vulnerability management programs.
"The decision reflects a pragmatic response to an unsustainable growth curve," notes a security analyst at a major cybersecurity firm. "While it may create some gaps in coverage, focusing on the most critical vulnerabilities ensures that limited resources are allocated where they can prevent the most damage."
Request Process for Exceptions
Recognizing that some lower-priority vulnerabilities may still pose significant risks to specific organizations, NIST has established a process for enrichment requests. Security professionals can email [email protected] to request detailed analysis of any "lowest priority CVEs" they believe warrant attention.
This change follows growing concerns about NVD's capacity that became apparent in 2024, when delays and incomplete enrichment became increasingly noticeable. The formal announcement represents NIST's acknowledgment that the current model is no longer sustainable given the explosive growth in vulnerability reporting.
Context in the Broader Security Landscape
The timing of this change is particularly noteworthy given recent high-profile vulnerabilities. Just this month, critical flaws have been discovered in widely-used technologies including:
- A Protobuf library vulnerability enabling JavaScript code execution
- A Cisco IMC authentication bypass granting administrative access
- An Nginx UI authentication bypass now being actively exploited
- Multiple zero-day vulnerabilities addressed in Microsoft's April 2026 Patch Tuesday
- A Windows Task Host vulnerability flagged by CISA as actively exploited
These incidents underscore the ongoing challenge of managing an increasingly complex security landscape where new vulnerabilities emerge daily across an expanding ecosystem of software and hardware.
Looking Forward
NIST's decision represents a fundamental shift in how the security community will access vulnerability intelligence. While the NVD will remain a comprehensive repository of all reported vulnerabilities, the depth and quality of analysis will vary significantly based on priority classification.
Organizations will need to develop more sophisticated approaches to vulnerability management, potentially incorporating multiple data sources and risk assessment frameworks to ensure comprehensive coverage. The change may also accelerate the development of alternative vulnerability assessment services and tools to fill the gaps left by NIST's new prioritization strategy.
The move highlights a broader challenge facing the cybersecurity industry: as the attack surface continues to expand and vulnerability reporting increases exponentially, how can security professionals effectively prioritize and address the most critical threats while maintaining awareness of the broader vulnerability landscape?
For now, NIST's solution is to focus on what matters most—the vulnerabilities with the highest potential for widespread impact—while providing a mechanism for exceptions when lower-priority issues still warrant attention. Whether this approach proves sustainable as vulnerability volumes continue to grow remains to be seen.
Comments
Please log in or register to join the discussion