NIST Drops NVD Enrichment for Most CVEs After 263% Surge

The National Institute of Standards and Technology announced a fundamental shift in how the National Vulnerability Database operates. Effective April 15, 2026, NIST will only provide full enrichment for CVEs meeting specific risk criteria—leaving thousands of vulnerabilities without CVSS scores, severity ratings, or remediation guidance.

The change stems from a 263% increase in CVE submissions between 2020 and 2025. NIST simply cannot keep pace with the volume while maintaining comprehensive coverage.

What Changed

Under the new prioritization model, NIST will fully enrich CVEs only if they meet one of three criteria:

1. Listed in CISA's Known Exploited Vulnerabilities (KEV) catalog
2. Affecting software used within the federal government
3. Impacting "critical software" as defined by Executive Order 14028

Everything else falls into a category NIST calls "Not Scheduled"—meaning no CVSS score, no severity rating, just a CVE ID and whatever description the CVE Numbering Authority provided.

The Backlog Problem

All CVEs with an NVD publish date before March 1, 2026 have been moved to "Not Scheduled" status. This affects thousands of vulnerabilities that may still pose risks to organizations running older software.

NIST will no longer routinely re-analyze modified CVEs either. If a CNA updates a vulnerability record, NIST will only re-enrich it "if aware of a modification that materially impacts the enrichment data."

What Counts as Critical Software

Executive Order 14028 defines critical software broadly:

• Software designed to run with elevated privileges
• Software that manages privileged access to networking or computing resources
• Software that controls access to data or operational technology
• Software operating outside normal trust boundaries with elevated access

This captures operating systems, hypervisors, security tools, and identity management systems—but leaves significant gaps for application-layer vulnerabilities in non-critical software categories.

Impact on Security Teams

For organizations that rely on NVD as their primary vulnerability intelligence source, this creates immediate challenges:

Patch prioritization becomes harder. Without CVSS scores, security teams lose a key input for risk-based prioritization. A CVE affecting your CRM software might receive no NIST analysis at all.

Scanning tools may miss context. Vulnerability scanners that pull enrichment data from NVD will return less actionable results for non-prioritized CVEs.

Manual research increases. Teams will need to check CNA-provided scores, vendor advisories, and alternative sources like VulnCheck or Qualys for CVEs outside NIST's scope.

VulnCheck's Caitlin Condon noted that while NIST sets clear expectations, "a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative source."

Workarounds for Security Teams

1. Don't rely solely on NVD. Integrate multiple vulnerability intelligence feeds including vendor advisories, CNA databases, and commercial threat intel
2. Monitor CISA KEV directly. Vulnerabilities that matter most for exploitation will appear there regardless of NVD status
3. Request enrichment for critical CVEs. Organizations can email [email protected] to request analysis of specific vulnerabilities
4. Use CNA-provided scores. NIST will no longer provide separate severity scores when CNAs have already assigned them

The Bigger Picture

This isn't the first time NVD has struggled with scale. The database faced similar backlogs in 2024, and the growing complexity of software supply chains continues to generate CVEs faster than any single organization can analyze.

CISA's KEV catalog has emerged as the de facto priority list for vulnerability management—we've covered multiple additions recently including Apache ActiveMQ and Fortinet EMS. Organizations that align patching priorities with KEV are likely better positioned than those chasing every CVE.

But for the long tail of vulnerabilities—the ones affecting niche software, legacy systems, or applications outside federal use—security teams are increasingly on their own.

The full announcement is available on NIST's website.