Overview
- NIST, which announced the shift Wednesday, will prioritize adding detail only to vulnerabilities in CISA’s Known Exploited list, software used by federal agencies, or software labeled critical under Executive Order 14028.
- All other CVEs will still be listed in the National Vulnerability Database but will not receive automatic enrichment such as added context, affected products, or a NIST-issued severity score.
- The agency set a target to enrich KEV-listed flaws within one business day and moved older unenriched entries into a Not Scheduled queue to manage the backlog.
- NIST will no longer publish its own CVSS score when a CVE arrives with a rating from its CVE Numbering Authority, shifting more weight to vendor and CNA assessments.
- The change follows rapid growth in reports—42,000 CVEs enriched in 2025 and a 263% rise since 2020—with experts warning teams will lean on private intelligence as only about 1% of new flaws were exploited in the wild last year.