NIST to stop rating non-priority flaws due to volume increase

Source: Bleeping Computer

Overview

The National Institute of Standards and Technology will stop assigning severity scores to lower‑priority vulnerabilities due to the growing workload from rising submission volumes. Starting April 15, the service will only analyze and provide additional details (e.g., severity rating, product lists) for security issues that meet specific criteria related to the risk they pose.

The National Vulnerability Database (NVD) will still list all submitted vulnerabilities, but those considered low priority will have a severity rating only from the CVE Numbering Authority (CNA) that evaluated and submitted them.

New NVD Policy

In an announcement this week, the non‑regulatory federal agency said it will only provide additional details for vulnerabilities that meet one of the following criteria:

• Are in CISA’s Known Exploited Vulnerabilities (KEV) catalog
• Affect U.S. federal government software
• Involve critical software as defined by Executive Order 14028

Reason for the Change

NIST explained that the decision was driven by the large number of submissions, which grew by 263 % recently and continued to accelerate in 2026. The organization enriched 42,000 CVEs in 2025, but it can no longer keep up with the increasing volume.

Role of the NVD

The NIST NVD is a public, centralized database of known software and hardware vulnerabilities. It provides additional descriptions and analyses on top of the unique identifiers (CVE IDs) assigned by CNAs, such as vendors and the not‑for‑profit MITRE Corporation.

Enriching vulnerability details makes CVE entries usable for risk management, including:

• Assigning severity scores
• Identifying affected product versions
• Classifying weaknesses
• Providing links to advisories, patches, or related research

The NVD is used universally by security researchers, software vendors, government agencies, IT professionals, journalists, and regular users seeking more information about a specific security issue.

“All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as ‘Not Scheduled’,” explains NIST.
“This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”
Source

Handling Low‑Priority CVEs

NIST acknowledges that the new rules may allow some potentially high‑impact CVEs to slip through. For this reason, the agency accepts enrichment requests for any lowest‑priority CVEs via email at nvd@nist.gov.