NIST CVE/NVD prioritization shift
Public Sector Action
Summary
Hide ▲
Show ▼
NIST is changing its CVE/NVD prioritization so that, starting April 15, 2026, it will provide full details only for a subset of CVEs. The shift matters because it changes how defenders triage vulnerabilities and how backlog items are handled across the National Vulnerability Database. NIST said the new model will focus on CISA KEV-listed issues and flaws in critical software under EO 14028.
Related Happenings
CERT-In 12-hour KEV remediation guidance
Advisory/Mitigation
First: 26.05.2026 13:30
Last: 26.05.2026 13:30
Sources 1
About this happening:
CERT-In set a **12-hour** expectation for containing or remediating **known exploited vulnerabilities** on **internet-facing and crown-jewel systems**, sharply shortening response...
CERT-In 12-hour KEV remediation guidance
Advisory/MitigationAbout this happening: CERT-In set a **12-hour** expectation for containing or remediating **known exploited vulnerabilities** on **internet-facing and crown-jewel systems**, sharply shortening response...
CERT-In issues 12-hour patch guidance for Indian organizations
Public Sector Action
First: 26.05.2026 13:30
Last: 26.05.2026 13:30
Sources 1
About this happening:
**CERT-In** published new guidance on **May 25** urging Indian organizations to patch **actively exploited internet-facing vulnerabilities** within **12 hours**, tightening respon...
CERT-In issues 12-hour patch guidance for Indian organizations
Public Sector ActionAbout this happening: **CERT-In** published new guidance on **May 25** urging Indian organizations to patch **actively exploited internet-facing vulnerabilities** within **12 hours**, tightening respon...
Ivanti EPMM patch release for CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821
Security Patch Release
First: 07.05.2026 18:20
Last: 07.05.2026 18:20
Sources 1
About this happening:
Ivanti released a security update for on-prem Endpoint Manager Mobile (EPMM) covering CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. The patch addresses high-seve...
Ivanti EPMM patch release for CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821
Security Patch ReleaseAbout this happening: Ivanti released a security update for on-prem Endpoint Manager Mobile (EPMM) covering CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. The patch addresses high-seve...
Latest development: 07.05.2026 20:55
Ivanti released fixes for CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821 in Endpoint Manager Mobile (EPMM). The updates apply only to on-prem EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, and Ivanti said the issues are not present in Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.
CISA KEV listing and FCEB ActiveMQ patch order
Public Sector Action
First: 17.04.2026 12:30
Last: 17.04.2026 12:30
Sources 1
About this happening:
**CISA** added **CVE-2026-34197** to the **KEV Catalog** and ordered **FCEB** agencies to patch **Apache ActiveMQ** servers within **two weeks**. The directive sets a hard **April...
CISA KEV listing and FCEB ActiveMQ patch order
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-34197** to the **KEV Catalog** and ordered **FCEB** agencies to patch **Apache ActiveMQ** servers within **two weeks**. The directive sets a hard **April...
NIST/NVD risk-based CVE enrichment change
Public Sector Action
First: 16.04.2026 15:43
Last: 16.04.2026 15:43
Sources 1
How related:
Starting April 15, the service will only analyze and provide additional details (e.g., severity rating, product lists) for security issues that meet specific criteria related to the risk they pose.
About this happening:
**NIST** said the **US National Vulnerability Database (NVD)** will switch to a **risk-based CVE enrichment** model to cope with backlog growth. The change will **drop enrichment...
NIST/NVD risk-based CVE enrichment change
Public Sector ActionHow related: Starting April 15, the service will only analyze and provide additional details (e.g., severity rating, product lists) for security issues that meet specific criteria related to the risk they pose.
About this happening: **NIST** said the **US National Vulnerability Database (NVD)** will switch to a **risk-based CVE enrichment** model to cope with backlog growth. The change will **drop enrichment...
Timeline
-
17.04.2026 00:47 2 articles · 1mo ago
NIST's risk-based CVE triage takes effect
Legal Policy Action UpdateStarting April 15, 2026, NIST provides full details only for a subset of CVEs, prioritizing vulnerabilities in the CISA KEV catalog and in critical software under EO 14028, while backlogged CVEs move to Not Scheduled except KEV items.
Show sources
- NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities — www.darkreading.com — 17.04.2026 00:47
- NIST to stop rating non-priority flaws due to volume increase — www.bleepingcomputer.com — 19.04.2026 17:17
-
17.04.2026 00:47 1 articles · 1mo ago
NIST announces its CVE and NVD prioritization change
Initial DisclosureOn April 16, 2026, NIST says it is changing its CVE criteria because it is struggling to keep up with growing submissions, will continue adding all submitted vulnerabilities to the NVD, and will prioritize analysis for KEV-listed flaws and critical software under EO 14028; the agency also says CVE submissions increased 263% between 2020 and 2025 and that backlog challenges started in early 2024.
Show sources
- NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities — www.darkreading.com — 17.04.2026 00:47