NIST Halts Severity Ratings for Low‑Priority Vulnerabilities Amid 263% Submission Surge
What Happened — The National Institute of Standards and Technology (NIST) announced that, effective April 15 2026, the National Vulnerability Database (NVD) will no longer assign CVSS severity scores to low‑priority CVEs. Only vulnerabilities that appear in CISA’s Known Exploited Vulnerabilities (KEV) catalog, affect U.S. federal‑government software, or are deemed “critical” under Executive Order 14028 will receive full enrichment (severity rating, product list, etc.). All other submissions will remain listed with only the CNA‑provided identifier.
Why It Matters for TPRM —
- Many third‑party risk programs rely on NVD severity scores to prioritize vendor patching and risk assessments.
- The removal of scores for a large swath of CVEs creates a visibility gap that could hide emerging threats in vendor products.
- Organizations must adjust vulnerability‑management workflows to source supplemental scoring or request manual enrichment from NIST.
Who Is Affected — All sectors that depend on NVD for vulnerability intelligence, especially technology/SaaS, financial services, healthcare/EHR, cloud‑infrastructure, and government contractors.
Recommended Actions —
- Review your vulnerability‑management tooling to ensure it can handle “unscored” CVEs.
- Supplement NVD data with alternative scoring sources (e.g., vendor advisories, commercial threat intel).
- Submit enrichment requests for critical low‑priority CVEs that impact your environment.
- Update third‑party risk questionnaires to capture how vendors track and remediate unscored vulnerabilities.
Technical Notes — This is a policy change, not a software flaw. No CVE IDs, CVSS vectors, or exploit details are disclosed. The shift is driven by a 263 % increase in CVE submissions in 2025‑2026, which overwhelmed NIST’s capacity to enrich entries. Source: BleepingComputer