NIST Shifts to Risk-Based NVD Model as CVE Submissions Surge 263%

The National Institute of Standards and Technology (NIST) has officially updated its approach to processing vulnerabilities within the National Vulnerability Database (NVD).

According to an April 15, 2026 announcement, NIST is abandoning its comprehensive analysis approach in favor of a targeted, risk-based model.

This shift ensures security teams receive timely intelligence on high-impact threats. At the same time, NIST manages an overwhelming volume of vulnerability reports.

The primary driver behind this major operational change is a massive increase in Common Vulnerabilities and Exposures (CVE) submissions.

NIST reports a staggering 263% surge in CVEs between 2020 and 2025. While the agency successfully added enrichment details such as severity scores and affected product lists to nearly 42,000 CVEs last year, this 45% productivity increase was not enough to keep pace.

The submission rate continues to accelerate, with the first quarter of 2026 seeing a 33% jump compared to the same period last year.

New Targeted Prioritization Criteria

To effectively manage this workload, NIST is no longer attempting to enrich every submitted CVE immediately. Instead, the NVD program will prioritize vulnerabilities that pose the greatest systemic risk to organizations.

Starting immediately, NIST will focus its enrichment resources on the following categories:

• Vulnerabilities are listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, which analysts aim to process within one business day.
• Security flaws affecting software utilized within federal government agencies.
• Vulnerabilities involving critical software as defined by Executive Order 14028.

Any submitted CVE that falls outside these specific parameters will still be published to the NVD but will receive a “Lowest Priority” label.

These lower-priority items will not receive immediate enrichment data. However, security professionals can request manual analysis by emailing NIST directly.

Alongside the new tiering system, NIST is eliminating duplicate efforts in severity scoring. If a CVE Numbering Authority already provides a severity score during submission, the NVD will no longer generate its own separate score by default.

Furthermore, the agency is adjusting how it handles modified CVEs. Analysts will now reanalyze only previously enriched vulnerabilities if new modifications materially affect the core enrichment data.

This streamlined approach also directly addresses the NVD’s significant processing backlog that began building in early 2024. All backlogged, unenriched CVEs published before March 1, 2026, have been moved to the “Not Scheduled” category.

NIST plans to gradually process these older submissions based on the new risk criteria as resources allow.

To maintain transparency during this transition, NIST has updated the NVD Dashboard to report real-time status labels and statistics for all CVEs accurately.

By focusing exclusively on critical flaws and reducing duplicate administrative work, the agency intends to stabilize current NVD operations while dedicating resources to developing automated systems for long-term sustainability.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.