The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST," it said. "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025. We don’t expect this trend to let up anytime soon." The prioritization criteria outlined by NIST, which went into effect on April 15, 2026, are as follows - Any CVE submission that doesn't meet these thresholds will be marked as "Not Scheduled." The idea, NIST said, is to focus on CVEs that have the maximum potential for widespread impact. "While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories," it added. NIST said the CVE submissions during the first three months of 2026 are nearly one-third higher than they were last year, and it's working faster than ever to enrich the submissions. It also said it enriched nearly 42,000 CVEs in 2025, which was 45% more than any prior year. In cases where a high-impact CVE has been categorized as unscheduled, users have the option to request enrichment by sending an email to "nvd@nist[.]gov." NIST is expected to review those requests and schedule the CVEs for enrichment as applicable. Changes have also been instituted for various other aspects of the NVD operations. These include - "The announcement from NIST doesn't come as a major surprise, given they've previously telegraphed intent to move to a 'risk-based' prioritization model for CVE enrichment," Caitlin Condon, vice president of security research at VulnCheck, said in a statement shared with The Hacker News. "On the plus side, NIST is clearly and publicly setting expectations for the community amid a huge and escalating rise in new vulnerabilities. On the other hand, a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative (or only) source of CVE enrichment data."