NIST Changes CVE Assessment Following Surge in Reports

The National Institute of Standards and Technology (NIST) announced on April 21, 2026, that it will implement changes in the handling of Cybersecurity Vulnerabilities and Exposures (CVEs) in its National Vulnerability Database (NVD). This decision follows a remarkable 263% increase in CVE submissions compared to the previous year. NIST will now only enrich CVEs that meet specific criteria to ensure the quality and relevance of the data. The new guidelines aim to improve data processing efficiency and reduce the overload caused by a high number of submissions.

CVEs that do not meet the established criteria will still be listed in the NVD but without additional enrichment. This measure is intended to ensure that the most critical security vulnerabilities are prioritized. NIST's decision comes at a time when the cybersecurity landscape is becoming increasingly complex. The rising number of vulnerabilities and associated risks necessitate a targeted and effective response from security authorities and companies. NIST has emphasized that the quality of information in the NVD is of utmost importance to ensure the security of IT systems.

The criteria for enriching CVEs include, among other factors, the severity of the vulnerability, the prevalence of the affected software, and the potential impact on security. These factors are intended to help identify and highlight the most relevant and critical vulnerabilities. NIST plans to regularly review and adjust these criteria to address evolving threats. The NVD serves as a central resource for security researchers, IT administrators, and companies needing information about known vulnerabilities. The database contains information on CVEs reported by various organizations and security researchers.

Changes in enrichment could impact how companies prioritize and respond to vulnerabilities. Another aspect of the new guidelines concerns the transparency of data processing. NIST has announced that it will publish regular reports on the number of submitted CVEs and the criteria for their enrichment. This is intended to strengthen trust in the NVD and help users make informed decisions. Reactions to NIST's announcement have been mixed.

Some experts welcome the measure as necessary to improve data quality, while others express concerns about the potential impact on the visibility of less critical but still relevant vulnerabilities. The discussion about the balance between quality and quantity in vulnerability management is expected to continue. The changes take effect immediately, and NIST has already begun implementing the new criteria in the NVD. The organization plans to evaluate the impact of these changes in the coming months and make adjustments as necessary. NIST has emphasized that the security of IT infrastructure remains the top priority. The NVD recorded a total of 20,000 new CVE entries in 2025, highlighting the 263% increase compared to previous years. These figures underscore the urgency with which security authorities and companies must respond to growing threats.