NIST Scales Back CVE Data Enrichment Amid Rising Submission Volumes

Severity: Low (Score: 39.9)

Sources: Bleepingcomputer, Darkreading

Summary

The National Institute of Standards and Technology (NIST) announced a significant operational change on April 15, 2026, stating it will no longer assign severity scores or provide detailed enrichment for lower-priority vulnerabilities. This decision comes in response to a staggering 263% increase in CVE submissions, which overwhelmed NIST's capacity to manage them. As a result, only vulnerabilities meeting specific risk criteria will receive additional details, while all submitted CVEs will still be listed in the National Vulnerability Database (NVD). Cybersecurity professionals, including CISOs, have expressed concern that this cutback will lead to critical vulnerabilities being overlooked. NIST will accept requests for enrichment of low-priority CVEs via email, but acknowledges that some significant vulnerabilities may slip through the cracks. The operational changes reflect a shift towards prioritizing CVEs with the highest potential for widespread impact. This adjustment is seen as necessary but problematic for organizations that rely on NIST's enrichment data for effective risk management. Key Points: • NIST will stop enriching lower-priority CVEs due to a 263% increase in submissions. • Only vulnerabilities meeting specific risk criteria will receive detailed analysis. • Cybersecurity professionals fear critical vulnerabilities may be missed as a result.

Key Entities

• Zero-day Exploit (attack_type)
• nist.gov (domain)
• Energy (industry)