214/69 Tuesday, April 21, 2026
The National Institute of Standards and Technology (NIST) has announced a change in its approach to assessing and analyzing vulnerabilities within the National Vulnerability Database (NVD), effective April 15. This decision comes as global reporting of vulnerabilities (CVEs) has surged by 263%, with continued growth expected in 2026-overwhelming the agency’s resources and making it difficult to provide detailed analysis, such as severity scoring and affected product listings, for every entry in a timely manner.
Under the new prioritization model, NIST will conduct in-depth analysis only for vulnerabilities that meet one of three key criteria:
- vulnerabilities with evidence of active exploitation and inclusion in the Known Exploited Vulnerabilities (KEV) catalog maintained by Cybersecurity and Infrastructure Security Agency (CISA),
- vulnerabilities affecting U.S. federal government software, and
- vulnerabilities impacting critical software as defined under Executive Order 14028.
Other vulnerabilities will still be added to the NVD and assigned CVE identifiers but will be marked as “Not Scheduled.” Users will need to rely on severity scores provided by the reporting authority (CNA), such as software vendors or MITRE Corporation.
This policy shift has significant implications for the global cybersecurity community, as the NVD is widely used by researchers, developers, government agencies, and IT professionals. NIST acknowledged that some high-risk vulnerabilities could potentially be overlooked under this model and has provided a mechanism for stakeholders to request prioritization via email. While delays in vulnerability processing have existed since 2024, this announcement formalizes NIST’s focus on the most critical, system-wide risks moving forward.