NIST to limit work on CVE entries as submissions surge

Steven

NIST to limit work on CVE entries as submissions surge

Summary

NIST has announced it will stop fully enriching every submitted CVE record because the volume of vulnerability reports has grown beyond what its team can sustain. Going forward, NIST will only add detailed descriptions and its own severity data for CVEs that meet new prioritisation criteria: items on CISA’s Known Exploited Vulnerabilities (KEV) catalog, products used by the federal government, and software designated as “critical.”

The agency will list all CVEs but place many existing backlogged entries (published before 1 March 2026) into a “Not Scheduled” category. NIST also said it will stop providing a severity score for every submission and instead rely on submitter-provided scores, while it develops automation and workflow improvements to handle the surge.

Key Points

  • NIST will only “enrich” CVE records that meet a new threshold: KEV-listed exploits, federal-government-used products, or software classed as critical.
  • All submitted CVEs will still be listed, but many will no longer receive NIST-added descriptions, severity scores or metadata.
  • Backlogged CVEs with an NVD publish date before 1 March 2026 will be moved to a “Not Scheduled” status; NIST will cherry-pick those that meet the new criteria.
  • NIST will cease issuing its own severity score for all CVEs, relying instead on submitter-provided scores in many cases.
  • The policy change is driven by an explosive year-over-year increase in submissions (early-2026 submissions ~33% higher than same period last year) and past staff/funding shortfalls that left the NVD under-resourced.
  • Experts point to AI-driven code-review tools and autonomous exploit discovery as contributors to a flood of new — sometimes minor — vulnerability reports, stressing centralised triage systems.

Context and relevance

This is a material change for the vulnerability ecosystem. The NVD has been a foundational, centralised source for vulnerability metadata used by security teams, vendors and tooling worldwide. By narrowing which CVEs it enriches, NIST is effectively shifting triage signals toward exploit-driven sources (like CISA’s KEV) and submitter-supplied data.

For security teams, the change means greater reliance on external signals (exploit telemetry, vendor advisories, bug bounty activity) and automated tooling to prioritise fixes. For researchers and vendors, it increases the importance of ensuring submitter metadata is accurate and that high-impact bugs are escalated through the right channels (for example, CISA notifications).

Why should I read this?

Short version: this changes how the worldwide security community will find and trust vulnerability details. If you manage patches, run vulnerability scanners, or depend on CVE metadata for compliance, you need to know NIST will no longer be the single-source-of-truth for every CVE. We’ve done the skimming for you — read on so you can decide what to change in your patching and triage playbooks.

Source

Source: https://therecord.media/nist-to-limit-work-on-cve-entries-surge