Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

NIST/NVD risk-based CVE enrichment change

Public Sector Action
First reported
Last updated
Happening score
H score 35
2 unique sources, 2 articles

Summary

Hide ▲

NIST said the US National Vulnerability Database (NVD) will switch to a risk-based CVE enrichment model to cope with backlog growth. The change will drop enrichment for vulnerabilities reported before March 1, 2026 and prioritize items affecting US federal government software, critical software, and CISA KEV entries. The move changes how the government-backed vulnerability database triages fixes and can delay enrichment for lower-priority CVEs.

Related Happenings

Pretalx stored XSS (CVE-2026-41241)

Vulnerability
First: 27.05.2026 17:30 Last: 27.05.2026 17:30 Sources 1

About this happening: A high-severity **stored XSS** in **Pretalx** tracked as **CVE-2026-41241** let registered speakers inject code that could run when an organizer searched a submission, creating **...

Open Happening

CERT-In 12-hour KEV remediation guidance

Advisory/Mitigation
First: 26.05.2026 13:30 Last: 26.05.2026 13:30 Sources 1

About this happening: CERT-In set a **12-hour** expectation for containing or remediating **known exploited vulnerabilities** on **internet-facing and crown-jewel systems**, sharply shortening response...

Open Happening

CISA KEV action for CVE-2026-31431 and FCEB remediation

Public Sector Action
First: 03.05.2026 09:26 Last: 03.05.2026 09:26 Sources 1

About this happening: CISA added **CVE-2026-31431** to its **KEV catalog**, putting **Federal Civilian Executive Branch (FCEB)** agencies on notice to remediate an actively exploited Linux privilege-es...

Open Happening

OpenNDS zero-day vulnerabilities (multiple vulnerabilities)

Vulnerability
First: 17.04.2026 16:20 Last: 17.04.2026 16:20 Sources 1

About this happening: Researchers uncovered **four new zero-day vulnerabilities** in **OpenNDS**, creating unknown-risk exposure in a **widely deployed** software component. The flaws were found using...

Open Happening

NIST CVE/NVD prioritization shift

Public Sector Action
First: 17.04.2026 00:47 Last: 17.04.2026 00:47 Sources 1

How related: The National Vulnerability Database (NVD) will still list all submitted vulnerabilities, but those considered low priority will have a severity rating only from the CVE Numbering Authority (CNA) that evaluated and submitted it.

About this happening: **NIST** is **changing** its **CVE/NVD prioritization** so that, starting **April 15, 2026**, it will provide full details only for a **subset of CVEs**. The shift matters because...

Open Happening

Timeline

  1. 16.04.2026 15:43 2 articles · 1mo ago

    NIST/NVD announces risk-based CVE enrichment cutoff

    Industry Or Public Sector Update

    NIST/NVD announced a risk-based enrichment model for the US National Vulnerability Database that will stop enriching vulnerabilities reported before March 1, 2026, prioritize CVEs affecting software used by the US federal government, critical software under Executive Order 14028, and CISA's Known Exploited Vulnerabilities (KEV) list, and mark lower-priority items as "Not Scheduled."

    Show sources
    Open in new tab
  2. 16.04.2026 15:43 1 articles · 1mo ago

    NIST/NVD details CVSS and status-label changes

    Technical Analysis Update

    NIST/NVD updated its CVE handling rules for the US National Vulnerability Database so it will not overwrite a CVE's submitting-authority severity score unless it appears misaligned, will reanalyze modified CVEs only when changes materially affect enrichment data, and will replace the prior "Deferred" status with "Not scheduled" for CVEs the database will not enrich.

    Show sources
    Open in new tab