Security teams have long treated the National Vulnerability Database (NVD) as the authoritative source for CVE scoring, affected product mapping, and severity classification. That model broke quietly over the past two years and officially ended on 15 April 2026, when NIST announced it would no longer enrich every CVE record in the NVD. The decision has immediate, practical consequences for every vulnerability management programme that relies on NVD data.
What Changed
NIST has moved to a risk-based enrichment model. Going forward, only CVEs assessed as presenting the highest risk will receive the standard NVD treatment: CVSS scoring, Common Platform Enumeration (CPE) product mapping, and reference enrichment. Lower-risk CVEs will be filed with minimal data and will remain in that state indefinitely.
Critically, all backlogged CVEs with an NVD publish date earlier than 1 March 2026 have been moved to a “Not Scheduled” category — meaning tens of thousands of existing CVE records that were awaiting enrichment will now never receive it. The data gap is not a temporary delay; it is a permanent policy decision.
The Numbers Behind the Decision
CVE submissions have grown 263% between 2020 and 2025. NIST enriched nearly 42,000 CVEs in 2025 — a 45% increase over any prior year — but the volume of new submissions still outpaced enrichment capacity by a significant margin. In the first three months of 2026, submissions ran approximately one-third higher than the same period in 2025.
NIST has effectively acknowledged that the traditional model of enriching every CVE record is no longer sustainable at current staffing levels. Rather than continuing to fall further behind, the agency has restructured the programme around triage.
Why This Matters for Security Teams
The practical impact falls hardest on organisations whose vulnerability management workflows depend on NVD data in these specific ways:
CVSS scoring: Many vulnerability scanners and patch management platforms automatically pull CVSS scores from NVD to prioritise scan findings. For CVEs that fall below NIST’s new risk threshold or are in the “Not Scheduled” backlog, those scores may be absent or outdated. Scanners that treat a missing CVSS score as “MEDIUM” by default will misclassify both high-risk and low-risk vulnerabilities.
CPE-based asset matching: CPE records in NVD are how many tools correlate a CVE to specific products in an asset inventory. Without enrichment, a CVE for a product your organisation runs may not match anything in your scanner’s asset database — creating blind spots in your vulnerability coverage reports.
Compliance reporting: Vulnerability management programmes tied to frameworks such as PCI DSS, ISO 27001, or DORA typically require that vulnerabilities be assessed against a scoring standard. When the authoritative score is absent, auditors may require organisations to justify their prioritisation methodology explicitly.
What to Use Instead
NIST’s announcement effectively accelerates a shift that practitioners had already begun making in response to the 2024 NVD enrichment slowdown. The alternatives are mature and increasingly preferred:
- CISA’s Known Exploited Vulnerabilities (KEV) catalogue remains fully maintained and represents the highest-fidelity signal for exploitation risk. Vulnerabilities in KEV should always be prioritised regardless of CVSS score.
- CISA Vulnrichment provides SSVC (Stakeholder-Specific Vulnerability Categorization) decision scores enriched directly onto CVE records — these are not dependent on NVD enrichment and continue unaffected.
- Vendor advisories (MSRC, Cisco PSIRT, Fortinet PSIRT, Red Hat Security, etc.) provide authoritative severity ratings for their own products and are unaffected by NVD enrichment status.
- Commercial enrichment feeds (VulnCheck, Nucleus, Tenable’s VulnDB) have historically outpaced NVD enrichment and are now the practical baseline for organisations requiring comprehensive CVSS and CPE data.
Recommended Actions
- Audit your vulnerability scanner’s data source. Confirm whether your scanner pulls CVSS scores and CPE data from NVD directly or from a commercial enrichment layer. If NVD is the primary source, evaluate whether un-enriched CVEs will create coverage gaps in your next scan cycle.
- Implement SSVC or KEV-first prioritisation. Treat CISA’s KEV additions as an automatic Severity 1 queue. For everything else, use SSVC decision trees or vendor severity ratings as the primary triage signal, with CVSS as secondary context.
- Review compliance reporting methodology. If your programme reports vulnerability counts or risk scores using CVSS as the baseline, document an alternative scoring rationale for CVEs that lack NVD enrichment. Discuss with your audit team before the next assessment window.
- Subscribe to vendor security advisories directly. For the priority products in your environment (Windows, Linux, network appliances, cloud platforms), direct RSS or API subscriptions to vendor advisories provide lower-latency and higher-fidelity data than any downstream aggregator.
- Update SLA definitions. If your internal SLAs define patch timelines by CVSS band (e.g. “Critical CVSS ≥ 9.0 patched within 7 days”), explicitly address how vulnerabilities without CVSS scores are handled to avoid either systematic under-response or over-response.
Broader Context
VulnCon 2026 — the joint CVE/FIRST vulnerability management conference that ran 13–16 April in Scottsdale, Arizona — concluded with NIST’s announcement dominating corridor conversations. More than 500 vulnerability management practitioners were present when the news landed, and the consensus was consistent: the CVE system has outgrown any single enrichment authority. The industry is moving toward a distributed enrichment model where NIST provides the identifier, CISA provides the exploitation signal, and commercial and community feeds fill the descriptive gaps. Security teams that built workflows assuming NVD completeness need to redesign those workflows now.
Share this article