NIST abandons comprehensive CVE enrichment following 263% surge in submissions

The National Institute of Standards and Technology (NIST) has announced a radical overhaul of the National Vulnerability Database (NVD), effectively ending the era of universal vulnerability "enrichment." Facing an unprecedented backlog and a 263% explosion in CVE submissions over the last five years, the agency will now only provide detailed analysis for a select group of high-priority threats.

The policy shift, effective April 15, 2026, transitions the NVD to a "risk-based" model. While all reported Common Vulnerabilities and Exposures (CVEs) will still be listed, the majority will no longer receive the human-verified severity scores, affected product lists, or remediation context that security teams have relied on for decades.

The "not scheduled" triage

In a move that industry experts are calling "admitting defeat," NIST has cleared its existing backlog by moving approximately 29,000 unenriched vulnerabilities published before March 1, 2026, into a new "Not Scheduled" category. These records will likely never receive official NIST analysis unless specifically requested via email.

Going forward, NIST will prioritize enrichment for only three categories:

• CISA KEV list: Vulnerabilities appearing in the Cybersecurity and Infrastructure Security Agency's "Known Exploited Vulnerabilities" catalog.

• Federal software: Vulnerabilities impacting software used within the U.S. federal government.

• Critical infrastructure: Software defined as "critical" under Executive Order 14028, such as operating systems, web browsers, and identity management tools.

Why the system collapsed

The crisis is driven by a "perfect storm" of rising software complexity and the advent of AI-driven vulnerability discovery. NIST enriched a record 42,000 CVEs in 2025, but even this 45% productivity boost couldn't keep pace with Q1 2026 submissions, which are running 33% higher than last year.

Security researchers note that tools like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber are finding bugs at "machine speed," overwhelming human-led cataloging efforts.

The shift follows a reported 12% funding cut to NIST this fiscal year, forcing the agency to prioritize "systemic risk" over comprehensive coverage.

Impact on cybersecurity defenders

The decision leaves thousands of organizations with a massive "blind spot." Most commercial vulnerability scanners rely on NVD data to trigger alerts; without NIST’s severity scores, many automated systems will default to a low-priority status for potentially dangerous bugs.

"The era of free, comprehensive vulnerability intelligence is ending," noted a recent industry report. Defenders are being urged to pivot toward private intelligence feeds and CISA’s "Vulnrichment" program to fill the gap left by the NVD’s retreat.