CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

NIST Reconfigures NVD Enrichment Prioritization and Pre-March 2026 Data Handling

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

NIST’s National Vulnerability Database (NVD) will implement a risk-based triage model for CVE enrichment due to unsustainable growth in vulnerability disclosures, marking a strategic shift in how prioritization and processing are conducted. Effective immediately, NVD analysts will deprioritize enrichment for vulnerabilities reported prior to March 1, 2026, while focusing on vulnerabilities impacting U.S. federal government software, critical software per Executive Order 14028, and entries listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. All submitted CVEs will still be cataloged but labeled as “Not Scheduled” if they do not meet enrichment criteria. The decision follows a 263% increase in CVE submissions from 2020 to 2025 and continued acceleration in 2026, with forecasts projecting up to 70,135 CVEs by year-end. This operational pivot aims to focus limited resources on vulnerabilities most likely to pose immediate risk to critical infrastructure and federal systems.

Timeline

  1. 16.04.2026 15:43 1 articles · 4h ago

    NVD Enrichment Strategy Shift and Pre-March 2026 Data Deprioritization Announced

    NIST’s NVD announced a risk-based triage model effective immediately, deprioritizing enrichment for vulnerabilities reported prior to March 1, 2026. The NVD will focus enrichment on federal, critical, and exploited vulnerabilities, and revise CVE status labels to reflect new operational constraints. NVD will no longer provide CVSS scores for CVEs already scored by submitters unless misaligned, and will limit reanalysis to material changes.

    Show sources
    Open in new tab

Information Snippets

  • NVD will stop enrichment for all vulnerabilities reported before March 1, 2026.

    First reported: 16.04.2026 15:43
    1 source, 1 article
    Show sources

  • NVD will prioritize enrichment for vulnerabilities affecting U.S. federal government software, critical software as defined by Executive Order 14028, and entries in CISA’s Known Exploited Vulnerabilities (KEV) list.

    First reported: 16.04.2026 15:43
    1 source, 1 article
    Show sources

  • CVEs that do not meet enrichment criteria will be labeled as “Not Scheduled” in the NVD, replacing the previous “Deferred” status.

    First reported: 16.04.2026 15:43
    1 source, 1 article
    Show sources

  • NVD will no longer provide its own CVSS severity scores for CVEs already scored by the submitting authority unless the score is deemed misaligned with the vulnerability’s risk.

    First reported: 16.04.2026 15:43
    1 source, 1 article
    Show sources

  • NVD will only reanalyze modified CVEs if changes materially affect enrichment data.

    First reported: 16.04.2026 15:43
    1 source, 1 article
    Show sources

  • CVE submissions grew by 263% between 2020 and 2025, with 42,000 CVEs enriched in 2025—45% more than any prior year.

    First reported: 16.04.2026 15:43
    1 source, 1 article
    Show sources

  • Submissions in Q1 2026 were nearly one-third higher than Q1 2025, with forecasts projecting up to 70,135 CVEs for 2026.

    First reported: 16.04.2026 15:43
    1 source, 1 article
    Show sources