NIST is moving to a risk-based enrichment model for the National Vulnerability Database, formally abandoning its longstanding goal of analyzing every submitted CVE. Starting immediately, the NVD will only enrich vulnerabilities that appear in CISA's Known Exploited Vulnerabilities (KEV) catalog, software used by the federal government, or software designated as critical under Executive Order 14028. Everything else gets labeled "Not Scheduled."

The announcement came during VulnCon, where NVD leadership presented the changes before the official press release dropped. Within minutes, the security community was reacting.

CVE Submissions Are Outpacing NIST's Capacity#

NIST attributed the policy change directly to volume. "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025," the agency wrote in its announcement. "We don't expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year."

The agency was also explicit that its own output, while up sharply, still isn't keeping pace. "We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year," NIST wrote. "But this increased productivity is not enough to keep up with growing submissions."

Vulnerability historian Brian Martin, who has tracked NVD's operational decline closely, commented on changes to the backlog, noting that the database quietly reshuffled its numbers ahead of the announcement.

"NVD just gave up on 29,000 more vulnerabilities," Martin wrote on LinkedIn, documenting how the agency moved vulnerabilities out of "Deferred" status and into "Not Scheduled" to reduce the visible backlog from over 33,000 to roughly 4,000. "Remember: 2024 VulnCon, Tanya Brewer said the backlog would be done by Sep 2024 too!"

Martin has been characteristically blunt about the resource problem. "The budget they have to do this work is disgusting and there is an incredible amount of inefficiency if they can't enrich with so little metadata," he wrote. "The VulnDB team enriched a lot more for every vulnerability for a fraction of the cost. Demand better."

NVD Dashboard - 4/17/2026

All pre-March 2026 backlogged CVEs will be moved to "Not Scheduled" in batches over the next two weeks, per NIST's announcement. The agency says users can email nvd@nist.gov to request enrichment of specific unscheduled CVEs, which will be reviewed "as resources allow."

Michelangelo Sidagni, CTO at NopSec, questioned the logic of tying enrichment so tightly to KEV. "In essence delegating the prioritization of vulnerabilities to CISA," he commented on LinkedIn. "What about all other vulnerabilities that are exploited in the wild but did not make it to the CISA KEV?"

It's a legitimate question. KEV is deliberately conservative. As of earlier this week, Martin clocked CISA's KEV at 1,559 vulnerabilities and VulnDB at over 7,000 with known exploitation, much of it longstanding cases that were always exploited but not previously cataloged. Either way, thousands of actively exploited vulnerabilities sit outside KEV, and under the new policy, outside enrichment too.

"Not Scheduled" Means Unusable Data#

Enrichment is what makes a CVE entry usable. Without it, there's no CVSS severity score, and no Common Platform Enumeration (CPE) data linking the vulnerability to specific products. CPE is what allows security tools to programmatically match a CVE to software in an environment. Without it, the data can't be operationalized.

Immanuel Chavoya, founder of RiskHorizon AI, commented in the discussion on Martin's post that CPEs are a particular problem because "we're stuck with them" and NVD remains the authoritative source, not the vendors themselves.

NIST is also changing how it handles severity scoring going forward. The agency will no longer provide its own CVSS score when the CVE Numbering Authority (CNA) that submitted the CVE has already provided one. This shift to CNA-provided scores comes with its own complications.

Jerry Gamblin, principal engineer at Cisco, demonstrated at VulnCon this week that the NVD and GitHub already disagree on CVSS scores for nearly 1,500 CVEs. His Vuln Anarchy tool (renamed to Consensus Engine), was built through RogoLabs, an open-source lab dedicated to auditing global vulnerability infrastructure. It maps the deltas between the two sources, surfacing cases like CVE-2024-27306 in aiohttp, where GitHub's CNA score is 8.2 (High) and NVD's is 6.1 (Medium), a 2.1-point gap.

"That drift is the operational difference between an emergency sprint and a 'we'll get to it next month' ticket," Gamblin wrote.

The Consensus tool's Conflict Map makes the disagreement visible at a glance. Of 1,567 CVEs where both NVD and GitHub Advisory assigned a score, NVD came in higher 885 times and GitHub came in higher 682 times. The largest single gap was 6.9 points, on CVE-2025-48756. A cluster of cases shows drift of 4.0 points or more, which is the difference between a medium and a critical on the same vulnerability.

NIST's new policy says it will stop producing its own CVSS scores when a CNA has already assigned one. The implicit assumption is that CNA scores are good enough to stand alone. The Conflict Map shows they're often not aligned with what NVD independently concluded.

AI-Driven Discovery Meets a Shrinking NVD#

Martin tied the NVD situation directly to the recent Anthropic Glasswing / Mythos announcement, where AI-driven vulnerability discovery is being positioned to operate at unprecedented scale.

The promise is that Mythos can find vulnerabilities faster and at greater volume than human researchers. The concern, as Martin lays out in detail, is that the vulnerability disclosure pipeline has no capacity to absorb that volume.

"Finding the vulnerability is the very first step in the entire process," he wrote in a recent post on his blog. Coordinated disclosure, CVE assignment, NVD enrichment, and patch availability all have to follow, and every one of those stages is already overloaded.

Martin argues that the actual bottleneck isn't discovery. It's everything downstream. "Primarily the CVE and NVD bottlenecks, and they are continuing to be the bigger problem. When you look at all of this in the bigger picture, from discovery to disclosure to operationalizing the data, that is the vulnerability disclosure pipeline."

The NVD is formalizing its retreat from comprehensive enrichment precisely as a major new source of vulnerability discovery is being spun up. Whether Mythos-discovered CVEs get enriched will depend on how NIST interprets its new criteria, particularly what counts as "software used within the federal government." The announcement didn't define it.

Tom Alrich, who leads the OWASP SBOM Forum and Vulnerability Database Working Group projects, pointed to a January announcement from NIST signaling a shift of enrichment responsibility toward CNAs and commented on the contradiction: "After years of throwing out CVSS scores and CPE names created by CNAs, they now are 'shifting responsibility' to them!"

Ruben Bos, co-founder of Volerion, which uses AI to enrich CVEs automatically, said the announcement confirms what practitioners have been watching build for some time. "Public enrichment data was already delayed or missing," he said. "But this update just confirms that it's only getting worse. Absurd how manual analysis is still the main source of enrichment these days."

NIST's Annual Automation Pitch Arrives With Another Backlog Reshuffle#

The database that security products have been built on for decades is formally narrowing its scope. Teams that haven't already built tooling around alternate sources are behind, and this announcement makes that gap official.

"The days of relying on a single, centralized source for all enriched data are over," Gamblin said. "We have to get better at decentralized data and independent analysis."

NIST framed the changes as a step toward long-term sustainability, citing plans to develop automated systems and workflow improvements. No timeline was provided, and that's the pattern we've seen following previously missed deadlines. Automation has been on NIST's public roadmap since at least 2024. At VulnCon 2025, the agency described pilot automation tools for Linux kernel enrichment and "research into machine learning and AI-backed methods." Timelines and specifics have consistently been missing.

Over the past two years, the backlog has been relabeled repeatedly. CVEs have been moved between "Awaiting Analysis," "Undergoing Analysis," "Deferred," and now "Not Scheduled," each shift reducing the visible backlog without reducing the actual work.

Meanwhile, the volume pressure on the pipeline is only going to grow. CVE assignment and NVD enrichment are already operating past their limits, and vendor patch response varies widely. Martin contends that the current pipeline is not prepared for the additional strain from an influx of AI-driven disclosures.

"If it even contributes to disclosures by a factor of 25%, it's already going to be just as harmful to organizations as helpful," he said.

"If it introduces a factor of 200% then you might as well begin Googling on how to start a goat sanctuary or learn basket weaving. Because you sure as hell won't want to live the InfoSec life any longer."