The National Institute of Standards and Technology (NIST) has effectively conceded that it can no longer analyze every vulnerability flowing into the National Vulnerability Database (NVD).
“NIST declared inbox zero. Over a year behind, the budget never caught up, and now they're saying the quiet part out loud. Federal priority CVEs get enriched, everything else is on us,” says Andrew Storms, a long-time security executive and currently independent security assessor and lead security engineer at open-source AI coding agent and agentic engineering platform provider Kilo Code.
The quiet part was said out loud on April 15, at the VulnCon26 conference in Scottsdale, and through a formal blog post the same day, when NIST laid out a risk-based prioritization model that narrows the scope of its enrichment work to a fraction of the CVEs it receives.
Robert Hansen
For security teams who've spent years building processes on top of NVD data, this isn't a surprise. It's a confirmation. The backlog has been visible since early 2024, and NIST officials have spent the past year signaling that the old model — analyze everything, score everything, map everything — was no longer tenable. What changed this week is that the informal rationing became official policy.
“In one sense, after all the promises that NIST made to fix NVD enrichment over the last two years, it feels like a shocking betrayal for them to, now, admit that it isn't going to happen,” says Neil Carpenter, principal solution architect at container hardening platform provider Minimus.
While most security professionals we spoke with mirror Carpenter’s sentiment, not everyone sees it as a betrayal.
“I think many security practitioners will find this NVD adjustment completely reasonable. This new approach makes sense considering the pace of innovation and change within our industry right now. It's undeniable that there is a rapid influx of discovered and disclosed vulnerabilities,” says John Hammond, senior principal security researcher at managed cybersecurity platform provider Huntress. "The shift may make some small inconvenience for an org's current vulnerability management processes in the short term, but, in the long term, it's perfectly clear to see that this prioritization will help the industry focus on what the true threats on the horizon really are."
NIST’s new rules
Under the new rules, NIST will enrich CVEs that fall into one of three buckets: vulnerabilities listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, vulnerabilities affecting software used within the federal government, and vulnerabilities in software deemed critical under Executive Order 14028. Everything else still gets a CVE record in the NVD, but it doesn't get a NIST-assigned CVSS score, CPE product mapping, or the contextual analysis that downstream tools have historically pulled from the database.
NIST is also formalizing several adjacent changes. The agency will no longer issue its own CVSS score when the submitting CVE numbering authority has already provided one. It will only re-analyze a modified CVE if the modification materially affects the enrichment data. And the large pool of unenriched CVEs published before March 1, 2026 is being moved into a "Not Scheduled" category, which NIST says it will revisit as resources allow. That’s language that experienced observers will likely recognize as meaning "possibly never."
Harold Booth, the NIST computer scientist who delivered the news at VulnCon, put the agency's reasoning plainly: CVE submissions grew 263 percent between 2020 and 2025. The first quarter of 2026 ran roughly a third ahead of the same period last year. NIST's 2025 throughput of nearly 42,000 enriched CVEs — a 45 percent year-over-year jump — still wasn't enough to keep pace. The NVD operates with a staff of roughly 21 people. The math hasn't worked for some time.
, and CYBR.SEC.Media
Why the volume exploded
It’s clear what's driving the surge: automated vulnerability discovery tools, and in particular large language model–based scanners, have democratized the process of finding and reporting software flaws. Issues that a human researcher once might have triaged internally or filed as a minor bug are now being mechanically surfaced and pushed into the CVE pipeline. Vincenzo Iozzo, co-founder of SlashID, told SiliconANGLE that his firm has seen a sharp spike in AI-reported valid vulnerabilities over the past year.
The forecasts suggest more of the same. The Forum of Incident Response and Security Teams (FIRST) has projected roughly 50,000 additional CVEs in 2026. Cisco's Jerry Gamblin has floated a higher number — above 70,000. Whichever figure proves closer, NIST's 42,000-per-year ceiling isn't going to catch up on its own.
What the change threatens to break
The practical consequences depend on how much weight an organization's vulnerability management stack currently places on NVD enrichment as a trusted source of truth.
For shops that treat the NVD as authoritative for feeding CVSS scores into risk scoring engines, relying on CPE data to match CVEs to installed software, and using NVD severity ratings to drive patch SLAs, the gaps are already showing up. A CVE with no CPE mapping is effectively invisible to a scanner that matches by CPE. A CVE with no CVSS score doesn't sort properly into a high/medium/low patch queue. A CVE that sits in "not scheduled" purgatory may still affect production systems, and the only signal that it warrants attention will be whatever the original CNA provided, which varies widely in quality.
Compliance is a related headache. Several regulatory frameworks and internal policies reference NVD CVSS ratings directly or implicitly. With enrichment now conditional, organizations must decide for themselves whether a given CVE meets their patch-within-X-days threshold. That work was being done, at no charge, by a small team in Gaithersburg. Now it isn't.
There's also the less visible issue of fragmentation. For more than two decades, the NVD served as common ground — a shared reference point that commercial tools, open-source projects, and government agencies could all point to. Selective enrichment doesn't eliminate that reference point, but it does weaken it, and it incentivizes the proliferation of competing enrichment sources with their own methodologies and coverage gaps.
In part 2, we will discuss how organizations can work with alternative enrichment sources and how security professionals can build their vulnerability remediation efforts to succeed under the new rules.
