ScoutGet the App

NIST marks some CVEs 'Not Scheduled'

- The National Institute of Standards and Technology said April 15 it will stop immediately enriching many lower-priority CVEs in the National Vulnerability Database. - NIST said CVE submissions jumped 263% from 2020 to 2025, while first-quarter 2026 volume ran nearly one-third above last year. - The shift pushes defenders toward CISA’s exploited-flaw list and federal critical-software rules. (nist.gov)

The National Institute of Standards and Technology changed how it handles CVEs on April 15, saying many lower-priority entries in the National Vulnerability Database will no longer get immediate enrichment. (nist.gov) A CVE is a public ID for a software flaw. NIST’s enrichment step adds the details defenders actually use, including severity scores, affected product lists, weakness tags, and reference labels. (nvd.nist.gov) (nist.gov) Under the new model, NIST will prioritize CVEs already listed in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, software used by the federal government, and “critical software” defined under Executive Order 14028. (nist.gov) (cisa.gov) (nist.gov) Everything else still appears in the NVD, but some records now carry a “Not Scheduled” status. On NVD’s status page, that maps to “Deferred,” meaning the CVE is not currently scheduled for enrichment and can be requested later. (nvd.nist.gov) NIST said the change was driven by volume, not a narrower mission. CVE submissions rose 263% between 2020 and 2025, NIST enriched nearly 42,000 CVEs in 2025, and the first three months of 2026 were still nearly one-third higher than a year earlier. (nist.gov) The biggest immediate backlog decision is date-based. NIST said all backlogged CVEs with an NVD publish date earlier than March 1, 2026, will be moved into the “Not Scheduled” category when the new criteria are applied. (nist.gov) NIST also said it will try to enrich vulnerabilities in CISA’s Known Exploited Vulnerabilities catalog within one business day of receipt. That gives active exploitation, federal use, and critical-software exposure more weight than broad routine coverage. (nist.gov) (cisa.gov) The agency left an escape hatch for defenders who think a deferred flaw deserves faster treatment. Users can email nvd@nist.gov to request enrichment of a lowest-priority CVE, and NIST said it will review those requests as resources allow. (nist.gov) NIST is also trimming duplicate scoring work. The agency said it will no longer routinely publish its own separate severity score when the CVE Numbering Authority that submitted the record already supplied one. (nist.gov) That leaves the NVD looking more like a triage desk than a universal annotation service. The CVE IDs will still arrive, but many of the extra fields defenders relied on will now depend on whether NIST decides the flaw is urgent enough to analyze first. (nist.gov)

Get your own daily briefing

Scout delivers personalized news, insights, and conversations tailored to your role and industry.

Download on the App Store

Shared from Scout - Be the smartest in the room.