NIST Modifies NVD Operations, Discontinues Severity Scoring for Many CVEs

The National Institute of Standards and Technology has announced significant changes to its National Vulnerability Database. As of April 15, 2026, NIST will no longer provide severity scores, affected product analysis, or remediation context for the majority of new CVE submissions. This policy shift is expected to affect numerous organizations that rely on the NVD for prioritizing security patches and managing their cybersecurity posture.

Context

The NVD is a critical resource for organizations to identify and manage vulnerabilities in software and systems. Historically, it provided severity ratings and remediation guidance to help users understand the risks associated with specific vulnerabilities. The decision to discontinue these features marks a shift in how NIST supports cybersecurity efforts.

Why it matters

The changes to the National Vulnerability Database (NVD) by NIST are significant because they impact how organizations assess and prioritize cybersecurity vulnerabilities. Without severity scores and detailed analysis, companies may struggle to allocate resources effectively for patch management. This could lead to increased cybersecurity risks and potential data breaches.

Implications

The discontinuation of severity scoring may lead to inconsistent vulnerability prioritization across different organizations. Smaller companies or those with limited cybersecurity resources may be disproportionately affected, potentially increasing their vulnerability to attacks. Overall, this policy shift could result in a heightened risk landscape, prompting organizations to seek new methods for managing vulnerabilities.

What to watch

As the April 2026 deadline approaches, organizations will need to adapt their vulnerability management strategies in light of these changes. Monitoring how companies adjust their cybersecurity practices will be important, as well as any potential responses from the cybersecurity community. Additionally, the development of alternative resources or tools to fill the gap left by NIST's changes may emerge.