NIST Updates NVD Operations to Address Record CVE Growth

New risk-based model will allow NIST to manage current CVE volume while modernizing the NVD for long-term sustainability.

NIST is changing the way it handles cybersecurity vulnerabilities and exposures, or CVEs, listed in its National Vulnerability Database (NVD). In the past, NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists — that help cybersecurity professionals prioritize and mitigate vulnerabilities. Going forward, NIST will add details, or “enrich,” those CVEs that meet certain criteria, which are explained below. CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST.

This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year.

We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions. Therefore, we are instituting a new approach. The changes described below will allow us to focus on the most critical CVEs while being transparent about how we are managing our current workload. They will also allow us to stabilize the program while we develop the automated systems and workflow enhancements required for long-term sustainability.

New Prioritization Criteria
Starting on April 15, 2026, we will prioritize the following CVEs for enrichment:

• CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
  • Our goal is to enrich these within one business day of receipt
• CVEs for software used within the federal government
• CVEs for critical software as defined by Executive Order 14028

All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as “Not Scheduled.” This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.

That said, these criteria may not catch every potentially high-impact CVE. Therefore, users can request enrichment of any unscheduled CVEs by emailing us at nvd [at] nist.gov (nvd[at]nist[dot]gov). We will review those requests and schedule the CVEs for enrichment as resources allow.

A full definition of critical software and a description of our new workflow, including how we will order our processing queue, is available on the NVD website.

Streamlining Severity Scores
Until now, NIST has provided its own severity score for all submitted CVEs, even if the CVE Numbering Authority that submitted it had already provided a severity score. Going forward, we will no longer routinely provide a separate severity score for those CVEs. This will reduce duplication of effort and allow us to focus our resources more effectively. Users can request that we provide a separate severity score for specific CVEs by emailing us at the address above.

Handling of Modified CVEs
We are changing our process for reanalyzing enriched CVEs that have been modified subsequent to enrichment. While our previous policy was to re-analyze all modified CVEs, we will now do so only if we are aware of a modification that materially impacts the enrichment data. Users can request that we reanalyze specific modified CVEs by emailing us at the address above. Because of this process change, all CVEs marked as deferred last year (see April 2, 2025: NVD General Announcement) will be moved to “Modified After Enrichment.” Due to the large number of CVEs involved, we will be recategorizing these CVEs in batches over the next two weeks.

The CVE Backlog
Starting in early 2024, the NVD developed a significant backlog of unenriched CVEs. Unfortunately, we have been unable to clear that backlog, in part due to the increasing rate of submissions. Therefore, when we implement the new prioritization criteria described above, we will move all backlogged CVEs with an NVD publish date earlier than March 1, 2026, into the “Not Scheduled” category. We will consider enriching those earlier vulnerabilities, applying the new prioritization criteria above, as resources allow. (Note that the backlog does not include any CVEs in the KEV Catalog, as we have always prioritized those for enrichment, in keeping with our long-standing risk management approach.)

New Status Labels and Other Information
To better communicate CVE status, we are updating CVE status labels and descriptions. More details are available on the CVE statuses page. Additional details on our new process are available on our CVEs and the NVD Process page. Finally, we have updated the NVD Dashboard to accurately report the status of all CVEs and other NVD statistics in real time.

We recognize that these changes will affect our users. However, this risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community. This shift also allows us to dedicate the resources required to develop the automated systems and workflow enhancements that will ensure the program’s long-term sustainability. We look forward to announcing those improvements as we make them.

NIST is committed to maintaining the NVD as a critical component of the nation’s cybersecurity infrastructure. By evolving the NVD to meet today’s challenges, we can ensure that the database remains a reliable, sustainable and publicly available source of information about cybersecurity vulnerabilities. We appreciate the continued collaboration of our partnering agencies and the user community as we make these necessary adjustments.