**NIST** announced this week that it will be scaling back its vulnerability analysis efforts due to an overwhelming surge in Common Vulnerabilities and Exposures (CVE) submissions. Effective April 15, the **National Vulnerability Database (NVD)** will only provide detailed analysis, including severity ratings, for vulnerabilities meeting specific criteria. ### Prioritization Criteria **NIST** will now focus its resources on vulnerabilities that: * Are listed in **CISA**’s Known Exploited Vulnerabilities (KEV) catalog. * Affect U.S. federal government software. * Involve critical software as defined by Executive Order 14028. ### The Submission Surge **NIST** attributes this change to a dramatic increase in CVE submissions. The agency reports a 263% increase in submissions, a trend that is expected to continue. In 2025, **NIST** enriched approximately 42,000 CVEs, but the agency states it can no longer sustain this level of analysis for all submissions. ### Impact on the NVD The **NVD** will continue to list all submitted vulnerabilities. However, those not meeting the prioritization criteria will only have a severity rating assigned by the CVE Numbering Authority (CNA) that initially evaluated and submitted the vulnerability. CNAs include vendors and organizations such as **The MITRE Corporation**. ### Why This Matters The **NIST NVD** is a critical resource for security researchers, IT professionals, and organizations worldwide. It provides detailed information about vulnerabilities, including severity scores, affected products, and links to advisories and patches. This information is essential for effective risk management and vulnerability remediation. ### "Not Scheduled" Status Vulnerabilities not meeting the new criteria will be categorized as "Not Scheduled." **NIST** emphasizes that this does not mean these vulnerabilities are unimportant, but rather that they do not present the same level of systemic risk as those in the prioritized categories. "All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as “Not Scheduled,” [explains NIST.](https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth)" ### Enrichment Requests Recognizing that some high-impact vulnerabilities might slip through the prioritization process, **NIST** is accepting enrichment requests for lower-priority CVEs via email at ‘[email protected].’ ### A Shift in Focus While delays in enrichment have been observed since 2024, this announcement formalizes **NIST**'s shift in focus towards the most critical and widely impactful vulnerabilities.