NIST is revamping how CVEs are prioritized in the National Vulnerability Database to manage a surge in submissions and a growing backlog.

Automatic enrichment for CVEs will be narrowed to focus on high-impact cases, with low-priority items not receiving enrichment or severity scores.

NVD and CVE status descriptions are updated to improve accuracy and transparency of enrichment status and related metrics.

Starting April 15, 2026, enrichment will be applied only to CVEs meeting defined priority criteria, while others will be listed but not enriched.

The enrichment and risk-management details are designed to help users assess potential impact, emphasizing CVEs with greater potential for widespread harm.

CVEs that do not meet priority criteria will be marked Not Scheduled as the policy shifts resources toward high-risk, widely impactful issues.

This approach marks a move away from CVSS-based, reactive prioritization toward proactive risk management driven by real-world exploitability and threat intelligence.

Industry experts favor a distributed, real-world signal model and prioritizing actionable data over total CVE volume.

Supporters include security researchers and industry leaders who advocate focusing on KEV and exploitability signals rather than sheer CVE counts.

Operational changes include no routine severity for CVEs already assigned a score, reanalysis only if it materially affects enrichment, and a Not Scheduled status for unenriched backlog items except those in KEV; requests for reanalysis can be emailed.

Prioritized criteria include CVEs in the KEV catalog, those affecting U.S. federal government software, and software deemed critical by EO 14028.

Vulnerabilities are categorized into KEV and EO 14028–defined critical software groups to determine enrichment priority.