NIST narrows NVD priorities to CISA’s known exploited catalog as backlog mounts after 2024 funding lapse

April 16, 2026
aisecuritybusinesshardware
A person writing in a planner with a task checklist on a desk, fostering productivity.
Photo by Jakub Zerdzicki on Pexels

What changed

It has been reported that the National Institute of Standards and Technology will now prioritize National Vulnerability Database analysis only for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, software used by the federal government, and the “critical” software set defined under Executive Order 14028. The move is meant to stabilize a program that fell behind after a funding lapse in early 2024 forced NIST to stop providing key metadata, and that has since amassed a growing backlog of unenriched CVEs. NIST said it analyzed nearly 42,000 vulnerabilities last year, and that CVE submissions surged 263% from 2020 to 2025 — submissions in the first three months of 2026 were reported to be about one‑third higher than the same period last year.

Why it matters

CVEs that don’t meet the narrowed criteria will still be listed in the NVD, but they won’t automatically receive NIST’s enrichment or, in some cases, a separate CVSS score if the CVE was submitted with a severity rating by a CNA. It has been reported that researchers view the change as inevitable — Dustin Childs of Trend Micro’s Zero Day Initiative told CyberScoop NIST “had to do something” and likely could not have otherwise caught up. There’s a sting here: defenders now face harder triage choices, and private companies and CNAs will carry more weight as authoritative sources. Who picks up what gets missed? That’s the new stress point.

NIST framed the shift as pragmatic: focus resources on vulnerabilities with the greatest potential for systemic impact. But the hardened reality is uneven attention. VulnCheck’s Caitlin Condon has said prioritization is already a problem; of more than 40,000 vulnerabilities cataloged last year, only about 1% — roughly 422 — were actually exploited in the wild. Still, a flaw that isn’t prioritized can be catastrophic for a particular organization. Triage helps the many, but it can hurt the one.

Expect ripple effects. Vendors and security teams will lean harder on their own assessments, threat hunters will adjust workflows, and duplication of effort may decline — which is good. Yet this is also a moment of shifting authority over the vulnerability ecosystem: NIST remains the government’s central catalog, but its role is becoming more selective. Pragmatic, perhaps. Painful for some. Welcome to vulnerability triage.

Sources: cyberscoop.com