NIST NVD Overhaul: Risk-Based Prioritization Addresses 263% CVE Surge
Key Takeaways NIST has overhauled the National Vulnerability Database (NVD) processing to a risk-based model. This change is in response to a 263% surge in CVE submissions between 2020 and 2025. NVD...
Key Takeaways
- NIST has overhauled the National Vulnerability Database (NVD) processing to a risk-based model.
- This change is in response to a 263% surge in CVE submissions between 2020 and 2025.
- NVD will now prioritize vulnerabilities in CISA’s KEV Catalog, those affecting federal agencies, and critical software defined by Executive Order 14028.
- Lower-priority CVEs will still be published but will not receive immediate detailed enrichment.
- The NVD backlog of unenriched CVEs from before March 1, 2026, has been moved to “Not Scheduled” for future processing.
The National Institute of Standards and Technology (NIST) has announced a significant shift in its operational strategy for the National Vulnerability Database (NVD). Moving away from its previous comprehensive analysis, NIST will now adopt a targeted, risk-based methodology for processing vulnerability information.
Table Of Content
This strategic pivot, detailed in an announcement on April 15, 2026, is designed to ensure that cybersecurity professionals receive timely and relevant intelligence on the most impactful threats, even as NIST grapples with an unprecedented volume of vulnerability reports.
The catalyst for this fundamental change is the dramatic rise in Common Vulnerabilities and Exposures (CVE) submissions. NIST has documented a staggering 263% increase in CVEs between 2020 and 2025. Despite a 45% increase in productivity last year, which saw nearly 42,000 CVEs enriched with critical details like severity scores and affected product lists, the agency could not keep pace with the influx. The submission rate continues its upward trajectory, with the first quarter of 2026 experiencing a 33% jump compared to the same period in the previous year.
New Targeted Prioritization Criteria
To effectively manage this burgeoning workload, NIST will no longer attempt to immediately enrich every single CVE submission. Instead, the NVD program will now concentrate its resources on vulnerabilities that present the most significant systemic risk to organizations. The revised prioritization criteria, effective immediately, will focus enrichment efforts on:
- Vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, which analysts aim to process within one business day.
- Security flaws impacting software utilized within federal government agencies.
- Vulnerabilities involving critical software as delineated by Executive Order 14028.
Any CVE submission that falls outside these specified categories will still be published to the NVD but will be assigned a “Lowest Priority” label. These lower-priority items will not receive immediate enrichment data, though security professionals retain the option to request manual analysis by contacting NIST directly via email.
In conjunction with this new tiering system, NIST is also streamlining its severity scoring process. If a CVE Numbering Authority already provides a severity score during the initial submission, the NVD will no longer automatically generate its own separate score, thereby eliminating redundant efforts. Furthermore, the agency is refining its approach to modified CVEs. Analysts will now only reanalyze previously enriched vulnerabilities if subsequent modifications substantially alter the core enrichment data.
This streamlined operational approach also directly addresses the substantial NVD processing backlog that began accumulating in early 2024. All backlogged, unenriched CVEs published prior to March 1, 2026, have been reclassified into a “Not Scheduled” category. NIST intends to process these older submissions gradually, applying the new risk-based criteria as resources become available.
To ensure transparency throughout this transitional period, NIST has updated the NVD Dashboard. This dashboard will now provide real-time status labels and statistics for all CVEs, accurately reflecting their current processing state. By concentrating on critical flaws and reducing administrative duplication, NIST aims to stabilize current NVD operations while simultaneously allocating resources to develop automated systems for long-term sustainability.
What You Should Do
- Prioritize monitoring CISA’s Known Exploited Vulnerabilities (KEV) Catalog for the most urgent threats, as these will receive rapid NVD enrichment.
- Be aware that newly published CVEs not meeting NIST’s prioritization criteria may lack immediate detailed enrichment data; consider requesting manual analysis from NIST if a “Lowest Priority” CVE is critical to your operations.
- Regularly check the updated NVD Dashboard for real-time status updates on CVEs, especially those relevant to your organization.
- Implement robust vulnerability management practices that do not solely rely on NVD enrichment for all CVEs, incorporating threat intelligence and vendor advisories.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.