NIST narrows scope of CVE to keep up with rising tide of vulnerabilities
3 hours ago
- #Cybersecurity
- #Vulnerability Management
- #NIST
- NIST narrows the scope of its vulnerability analysis in response to overwhelming CVE submissions.
- CVEs will be prioritized for analysis if listed in CISA's known exploited vulnerabilities catalog, used in federal government software, or defined as critical under EO 14028.
- The change aims to stabilize the NVD program, address a backlog, and ensure long-term sustainability.
- CVE submissions surged 263% from 2020 to 2025, with a continued rise observed in early 2026.
- CVEs not meeting criteria will still be listed but not enriched with additional details.
- Vulnerability researchers see the move as necessary, as only 1% of published CVEs were exploited in the wild in a recent analysis.
- NIST will no longer assign separate CVSS scores for CVEs with severity ratings, reducing redundancies and relying more on CNAs.
- Goal: Focus on systemic risks, adapt to challenges, and maintain NVD as a reliable public resource.