NIST confirmed this month that it will no longer enrich every CVE submitted to the National Vulnerability Database. A new prioritisation policy — effective April 15, 2026 — restricts full enrichment (CVSS, CWE, CPE mappings) to vulnerabilities the agency judges to carry systemic risk. Everything else will be listed and marked “Not Scheduled”, pending a manual request. The trigger, per NIST’s own framing and The Hacker News’ coverage, is a 263% increase in CVE submissions between 2020 and 2025 that the NVD analyst team can no longer keep pace with.
What the new queue looks like
Per the announcement, the enrichment priority queue now includes:
- Any CVE added to CISA’s Known Exploited Vulnerabilities catalogue.
- Vulnerabilities in EO 14028 critical software categories.
- Anything flagged as having systemic-risk potential — the criterion NIST has kept deliberately loose.
Everything outside those buckets still gets a CVE ID and a record in the NVD, but without CVSS, CWE, or CPE metadata. For anyone whose tooling reads CVSS from the NVD feed (read: every SAST pipeline, every enterprise vulnerability scanner, most risk-based patching tools) the practical effect is a record that looks incomplete.
The scale problem
The numbers in NIST’s statement are blunt. NIST enriched roughly 42,000 CVEs in 2025 — 45% more than any previous year — and still fell behind: about 10,000 CVEs from 2025 have no CVSS score as of the announcement. Q1 2026 submissions were already one-third higher than Q1 2025. Schneier’s February post on AI-assisted OpenSSL vulnerability discovery was an early signal of where the volume is coming from: AI-assisted scanners are now finding real bugs at a rate human programmes cannot triage, and every one of those findings becomes a CVE request.
What practitioners should do
The policy change shifts work onto the consumer side of the vulnerability supply chain. Three adjustments worth making in Q2:
- Treat CISA KEV as the primary signal, not CVSS. A “Not Scheduled” CVE with an in-the-wild exploit will still show up in KEV before NVD enriches it.
- Audit your scanner’s fallback behaviour. Tools that require a CVSS score to rank findings will silently under-prioritise un-enriched CVEs. Ask your vendor today.
- Plan for a longer tail. The backlog is not going to recover. Build internal enrichment — even light-touch, human-assigned severity — into your triage workflow for the CVEs that actually hit your stack.
For the policy mechanics, The Hacker News has the cleanest write-up of the new thresholds, and the Schneier piece linked above is the clearest articulation of why volume is the real story.
