NIST's NVD cuts severity ratings for lower-priority vulnerabilities

The National Institute of Standards and Technology will stop enriching lower-priority vulnerabilities in its National Vulnerability Database, limiting detailed analysis to only the most critical security flaws.

What happened

Starting April 15, NIST's National Vulnerability Database (NVD) will only assign severity scores and additional details, such as affected product lists and weakness classifications, to vulnerabilities that meet at least one of the following criteria:

• Listed in CISA's Known Exploited Vulnerabilities (KEV) catalog
• Affect U.S. federal government software
• Involve critical software as defined under Executive Order 14028

The NVD will still list all submitted vulnerabilities, but lower-priority entries will carry only the severity rating assigned by the original CVE Numbering Authority (CNA) that submitted them. NIST labels these deprioritized entries as "Not Scheduled." The agency cited a 263% surge in CVE submissions as the driver behind the change, noting it enriched 42,000 CVEs in 2025 but can no longer sustain that pace as volume continues to accelerate into 2026.

Going deeper

NIST acknowledged that the new prioritization model has gaps. Some high-impact CVEs that do not meet the three criteria may go unenriched by default. To address this, NIST is accepting manual enrichment requests for any deprioritized CVE via email at nvd@nist.gov. Organizations that identify a lower-priority vulnerability with significant risk can flag it directly to the agency for review.

What was said

NIST stated, "All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as 'Not Scheduled.' This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories."

By the numbers

• CVE submission volume grew by 263% recently and continued accelerating into 2026
• NIST enriched 42,000 CVEs in 2025 alone
• Vulnerabilities must now meet one of three criteria to receive full NVD enrichment
• Gaps have been visible since 2024, but the policy was only formally declared in April 2025

In the know

The NVD is a publicly accessible, centralized database maintained by NIST that catalogs known software and hardware vulnerabilities. While CVE IDs, unique identifiers assigned to specific flaws, come from CNAs such as software vendors and MITRE, the NVD adds a severity score (using the CVSS framework), affected product version data, weakness classifications, and links to patches or advisories. This enrichment is what allows security teams, IT professionals, government agencies, and researchers to actually prioritize and act on vulnerability data at scale.

Why it matters

This change directly affects how organizations manage vulnerability risk. The security industry has built its patching workflows, scanner tools, and compliance programs around enriched NVD data. When a CVE lacks a full severity score or affected product list from NIST, teams using automated tools may struggle to triage it accurately. For healthcare organizations, where unpatched software vulnerabilities are a leading vector for ransomware and data breaches, gaps in NVD enrichment could widen the window of exposure. The shift also places more interpretive burden on CNAs, whose severity ratings are less standardized than NIST's analysis.

The bottom line

Organizations should not assume that an unenriched CVE is low risk, it may simply be under-resourced. Teams should cross-reference CVE data with CISA's KEV catalog, vendor advisories, and threat intelligence feeds rather than relying solely on NVD enrichment status. If a deprioritized vulnerability affects your environment, submit an enrichment request to nvd@nist.gov directly.

FAQs

Will this affect how vulnerability scanners and security tools work?

Many security tools pull severity data directly from the NVD, so unenriched CVEs may appear incomplete or unscored in automated scans, potentially causing teams to overlook legitimate risks.

Does this mean lower-priority CVEs are safe to ignore?

No, a "Not Scheduled" label reflects NIST's capacity constraints, not a judgment on whether a vulnerability poses a real threat to your specific environment.

How will this change affect small and mid-sized organizations with limited security staff?

Smaller teams that rely on NVD data as a primary triage tool will need to invest in additional threat intelligence sources to fill the gaps left by unenriched entries.

Is NIST the only organization that can enrich CVE data?

No, CNAs, vendors, and third-party security firms can all publish their own analyses, and some already provide enrichment that rivals or supplements what NIST offers.