NIST narrows its National Vulnerability Database priorities to CVEs in CISA's known exploited catalog, to deal with a backlog after its 2024 funding lapse
The National Vulnerability Database will now only analyze vulnerabilities in critical software, systems used in the federal government and those under active exploitation.
CyberScoop Matt Kapko
Related Coverage
- NIST Updates NVD Operations to Address Record CVE Growth NIST
- NIST to limit work on CVE entries as submissions surge The Record · Jonathan Greig
- NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities Infosecurity · Kevin Poireault
- NIST is overhauling the National Vulnerability Database due to skyrocketing reports - experts worry it will ‘leave many CVEs on the table’ ITPro · Emma Woollacott
- NIST shifts National Vulnerability Database to risk-based triage as CVE submissions hit record levels SiliconANGLE · Duncan Riley
- Fortinet fixes critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808) Help Net Security · Zeljka Zorz
- Overwhelmed by vulnerability surge, NIST scales back NVD coverage Metacurity · Cynthia B Brumfield
- NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward Help Net Security · Zeljka Zorz
- NIST limits vulnerability analysis as CVE backlog swells Cybersecurity Dive · Eric Geller
- Reliable CVE sources in the age of NIST NVD cutbacks Aikido Security's Blog · Sooraj Shah
- NIST cuts down CVE analysis amid vulnerability overload CSO · Maria Korolov
Discussion
-
@hackswithcoffee
Daniel Karistai
on x
NIST changing their priority structure for CVE enrichment is going to have some interesting implications for those who rely on the NVD for risk based decision making. https://www.nist.gov/...
-
@lindseyod123
Lindsey O'Donnell Welch
on x
Update from NIST on how the NVD will operate, as they grapple with “record CVE growth” https://www.nist.gov/... [image]
-
@ericgeller
Eric Geller
on x
Amid an increasing volume of newly reported vulnerabilities, NIST says it will only add detailed info to CVEs in its NVD that meet certain criteria (inclusion in CISA's KEV catalog, use in fed sw, or use in critical sw). It will review requests for others. https://www.nist.gov/..…
-
@ryanaraine
Ryan Naraine
on x
It's amusing how AI can do all the most powerful security things except enriching the CVE database. What a shame this announcement is 😢 https://www.nist.gov/...
-
@tonystark
Tony Stark
on bluesky
Bad timing with Mythos [embedded post]
-
@campuscodi.risky.biz
Catalin Cimpanu
on bluesky
NIST says that besides focusing on enriching only the big bugs, it will also stop providing its own CVSS severity scores for NVD entries, and will now just show the severity score initially assigned by the organization that issued the CVE. — ruh-roh.... some CVSS drama incoming