NIST Drops Severity Scoring for Low-Priority CVEs as Submission Volume Overwhelms NVD

NIST is officially scaling back the National Vulnerability Database. As of April 15, only CVEs that hit specific thresholds — presence in CISA’s Known Exploited Vulnerabilities catalog, impact on U.S. federal software, or relevance to critical software under Executive Order 14028 — will receive the agency’s enriched analysis: severity scores, affected product lists, weakness classifications, and advisory links. Everything else gets logged as ‘Not Scheduled’ and inherits only whatever severity the originating CVE Numbering Authority assigned.

The driver is raw throughput. Submissions jumped 263% recently and kept climbing into 2026. NIST enriched 42,000 CVEs in 2025 and has now conceded it cannot keep pace. The enrichment backlog and visible delays have been a known problem since 2024; this announcement formalizes the triage rather than introducing it.

The downstream impact lands on anyone who treats NVD as the authoritative source for vulnerability metadata — vendors, scanners, risk-management tooling, and SOC workflows that pull CVSS scores and CPE strings directly from NIST. CNA-assigned scores vary widely in quality and consistency, so defenders relying on NVD enrichment for non-KEV bugs will need to either trust upstream CNAs more, lean on commercial vulnerability intelligence, or email nvd@nist.gov to request enrichment case-by-case.