NIST shifts CVE triage

The National Institute of Standards and Technology will stop immediately enriching most new software flaw records and will triage the National Vulnerability Database by risk instead. (nist.gov) A Common Vulnerabilities and Exposures entry, or CVE, is the public ID for a specific software bug. The National Vulnerability Database adds extra details to those IDs, including severity scores and affected-product lists that many security teams use to sort patching work. (nist.gov 1) (nist.gov 2) NIST said on April 15, 2026 that it will now prioritize enrichment for CVEs in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, for software used by the federal government, and for “critical software” defined under Executive Order 14028. It said CVEs in the Known Exploited Vulnerabilities catalog are targeted for enrichment within one business day of receipt. (nist.gov) CVEs that do not meet those filters will still appear in the database, but NIST said they will be marked “Lowest Priority” and not scheduled for immediate enrichment. NIST also said users can ask for a lower-priority CVE to be enriched by emailing the program. (nist.gov) The agency tied the change to volume. NIST said CVE submissions rose 263% between 2020 and 2025, first-quarter 2026 submissions were nearly one-third higher than the same period a year earlier, and the program enriched nearly 42,000 CVEs in 2025, 45% more than any prior year. (nist.gov) The move follows more than two years of strain on the database. NIST said in February 2024 that it had a growing backlog of CVEs requiring analysis, blamed both rising vulnerability volume and a change in interagency support, and said it was already prioritizing the most significant cases. (nist.gov) For companies that treated NIST’s score as the default answer, the practical change is that many fresh CVEs may arrive with an ID but without NIST’s usual added context. NIST said it previously aimed to analyze all CVEs and assign details such as severity scores even when the submitting CVE Numbering Authority had already provided one. (nist.gov) That shifts more work onto each organization’s own inventory: knowing which software it runs, which systems are internet-facing, and whether a bug is already being exploited. NIST said its new criteria “may not catch every potentially high-impact CVE,” and it framed the change as a way to stabilize the program while it builds more automation and workflow improvements. (nist.gov) The database is still central infrastructure for vulnerability management, but it is no longer promising to score everything on arrival. NIST’s message is that the public list remains comprehensive, while the extra analysis now goes first to the bugs most likely to matter at national scale. (nist.gov 1) (nist.gov 2)