Skip to content
Threat Intelligence April 14, 2026 · 5 min read

NIST Is No Longer Enriching All CVEs: What This Means for Your Vulnerability Management Program

NIST announced major changes to how the National Vulnerability Database handles CVEs. Most vulnerabilities will no longer receive severity scores or product mappings. Here's how to adapt your program.

NIST just made a significant change to the National Vulnerability Database that will directly affect how your security team triages vulnerabilities. Starting April 15, 2026, NIST will only enrich CVEs that meet specific criteria. Everything else gets listed but receives no severity score, no product mapping, and no prioritization data from NIST.

If your vulnerability management program depends on NVD enrichment data to prioritize patching, you need to adapt now.

What Changed

CVE submissions grew 263% between 2020 and 2025, and Q1 2026 is running 33% higher than the same period last year. NIST enriched nearly 42,000 CVEs in 2025 (45% more than any prior year), but it still can’t keep pace. Rather than continue falling behind, they’re shifting to a risk-based prioritization model.

What NIST will now prioritize for enrichment:

  • CVEs in CISA’s Known Exploited Vulnerabilities (KEV) Catalog (goal: enriched within one business day)
  • CVEs for software used within the U.S. federal government
  • CVEs for critical software as defined by Executive Order 14028

What’s changing for everything else:

  • CVEs not meeting the above criteria are categorized as “Lowest Priority” and will not be enriched
  • NIST will no longer provide separate severity scores when the submitting CNA already provided one
  • Modified CVEs will only be reanalyzed if the modification materially impacts enrichment data
  • The entire pre-March 2026 backlog is being moved to “Not Scheduled”

Why This Matters More Than It Sounds

Many organizations have built their vulnerability management workflows around NVD data. Scanners pull CVSS scores from NVD. Patch prioritization tools rank by NVD severity. Compliance reports reference NVD enrichment status.

With this change, a large percentage of new CVEs will have no NIST-provided severity score, no CPE (product) mapping, and no enrichment timeline. If your tooling depends on NVD as the single source of truth for vulnerability context, you now have a gap.

What Your Team Should Do

1. Audit Your NVD Dependencies

Map out where your vulnerability management pipeline consumes NVD data:

  • Does your scanner rely on NVD CVSS scores for prioritization?
  • Do your SLAs reference NVD severity levels?
  • Does your compliance reporting depend on NVD enrichment status?
  • Are your asset inventories mapped to NVD CPE entries?

If the answer to any of these is yes, you have work to do.

2. Adopt Multiple Enrichment Sources

Don’t rely on a single source for vulnerability context. Layer these:

  • CISA KEV Catalog: The highest-signal source. If it’s on KEV, it’s being actively exploited. Patch immediately.
  • CNA-provided CVSS scores: NIST will now defer to these. Most major vendors (Microsoft, Google, Red Hat) already provide quality scores.
  • EPSS (Exploit Prediction Scoring System): Probability-based scoring that predicts which CVEs are likely to be exploited in the next 30 days.
  • Vendor advisories: Often contain context (affected versions, mitigations, workarounds) that NVD never captured.

3. Shift to Risk-Based Prioritization

If you’re still prioritizing purely by CVSS score, this is your forcing function to move to risk-based vulnerability management:

  • Does this CVE affect software in your environment? (Asset inventory is prerequisite)
  • Is it being actively exploited? (KEV, threat intel feeds, EPSS > 0.5)
  • Is the affected asset internet-facing or business-critical?
  • Is there a compensating control already in place?

A CVSS 9.8 vulnerability in software you don’t run is irrelevant. A CVSS 6.5 vulnerability being actively exploited against your internet-facing application is urgent.

4. Update Your SLAs and Policies

If your patching SLAs reference “NVD Critical” or “NVD High” severity, update them to account for CVEs that may never receive an NVD score:

  • Define what happens when a CVE has no NVD enrichment
  • Specify alternative severity sources (CNA score, EPSS, vendor advisory)
  • Add KEV status as an automatic escalation trigger regardless of CVSS score

5. Request Enrichment for What Matters to You

NIST is accepting enrichment requests via email (nvd@nist.gov). If a CVE affects your environment and lacks enrichment:

  • Submit a request with justification
  • Don’t wait for NIST to get to it organically
  • Track your requests and follow up

6. Invest in Your Asset Inventory

This change makes asset inventory accuracy more important than ever. You can’t determine if a CVE matters to you without knowing what software you run, what versions, and where.

If your CMDB is stale or incomplete, fixing that is now a higher priority than it was last week.

The Bigger Picture

This isn’t a temporary measure. NIST is explicitly stating that the current model is unsustainable and they’re building automated systems for long-term sustainability. The era of “NIST enriches everything and we consume it passively” is over.

Organizations that have already moved to risk-based vulnerability management with multiple intelligence sources won’t feel this much. Organizations still dependent on NVD as their primary prioritization engine need to adapt quickly.

The silver lining: NIST is being transparent about what they can and can’t do, and they’re prioritizing the highest-risk CVEs (KEV, federal software, critical software). That’s a rational approach given the constraints.

Your job is to ensure your program doesn’t have a single point of failure at the NVD.

Source: NIST Updates NVD Operations to Address Record CVE Growth, April 2026.

#nvd #cve #vulnerability-management #nist #cisa-kev

Related articles

Ai Security May 28, 2026

Anthropic's Mythos Is Going Live: What Security Teams Need to Prepare For

Anthropic plans to release its Mythos-class AI models to all customers within weeks. The model that found 10,000+ zero-day vulnerabilities is about to become widely accessible. Here's what that means for defenders.

Read more
Industry Focus May 26, 2026

AI-Enabled Attacks Are Hitting Schools Hard: What the Education Sector Must Do Now

Congress has been warned about AI-powered cyber attacks targeting US schools. With 75% of ed-tech leaders citing AI threats as their top concern and only 7% of districts prepared, the education sector faces a crisis. Here's the practical path forward.

Read more
Compliance May 26, 2026

India's 12-Hour Patch Mandate: The First Government Response to AI-Accelerated Exploitation

CERT-In published a 38-page blueprint mandating 12-hour patching for exploited internet-facing vulnerabilities. It's the world's tightest deadline, driven by AI compressing attack timelines. Here's what it signals and how to prepare.

Read more
All articles