NIST overhauls National Vulnerability Database operations amidst record CVE growth

The U.S. National Institute of Standards and Technology (NIST) is implementing a significant overhaul to its National Vulnerability Database (NVD) operations, shifting from a goal of fully analyzing every submitted Common Vulnerability and Exposure (CVE) to a risk-based triage model. This change prioritizes the most dangerous flaws due to a dramatic increase in CVE submissions, which surged 263% between 2020 and 2025, as reported by Silicon Angle.

Under the new model, NIST will only fully enrich CVEs that are listed in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog, affect federal government software, or impact software classified as critical. Other CVEs will be listed as "Not Scheduled," meaning NIST will not automatically add severity scores and product data. NIST aims to enrich KEV catalog entries within one business day.

The agency is also addressing a backlog, moving unenriched CVEs published before March 1, 2026, to "Not Scheduled." NIST will no longer routinely issue its own severity scores when a submitting authority has already provided one, and modified CVEs will only be reanalyzed if the change materially affects enrichment data.

Source: Silicon Angle