NIST to stop rating non-priority flaws due to volume increase

Key Points:

• Starting April 15, the National Institute of Standards and Technology (NIST) will cease assigning severity scores and detailed analysis to lower-priority vulnerabilities due to a significant increase in submission volumes.
• The National Vulnerability Database (NVD) will continue listing all vulnerabilities, but only those meeting specific criteria—such as inclusion in CISA’s Known Exploited Vulnerabilities catalog, affecting U.S. federal software, or involving critical software per Executive Order 14028—will receive detailed enrichment from NIST.
• This decision follows a 263% surge in vulnerability submissions, with NIST enriching 42,000 CVEs in 2025 but unable to maintain that pace as the volume accelerates in 2026.
• While lower-priority CVEs will be marked as "Not Scheduled" and lack NIST-assigned severity ratings, the agency will accept enrichment requests for these cases via email to address potential high-impact vulnerabilities.
• NIST’s NVD remains a crucial resource for security professionals and the public, providing detailed risk management information for prioritized vulnerabilities to support effective cybersecurity efforts.