NIST NVD Abandons Full CVE Enrichment, Shifts to Priority Triage

On April 15, 2026, NIST announced a major shift in how it operates the National Vulnerability Database (NVD).
Until now, every submitted CVE received metadata enrichment. Going forward, enrichment will be limited to three categories: CISA KEV catalog entries, federal government software, and critical software under EO 14028.

The direct reason is straightforward — a 21-person NVD staff can no longer keep up with the exponentially growing volume of CVE submissions.

What NVD Enrichment Is

A CVE (Common Vulnerabilities and Exposures) is just an identifier for a vulnerability. The number alone doesn’t tell you much.
NVD enrichment is the process of attaching the following metadata to each CVE.

Metadata	Description
CVSS Score	Severity rating from 0.0 to 10.0 (primary indicator for patch prioritization)
CWE	Vulnerability type classification (buffer overflow, SQL injection, etc.)
CPE	Identifier for affected products and versions (used for automated scanner matching)
Description	Summary of the vulnerability

Most enterprise patch management tools and scanners depend on NVD’s CVSS scores and CPE matching.
A CVE without enrichment is an empty box — just a number with no way to automatically assess risk or determine the scope of impact.

New Priority Criteria

NIST’s new enrichment criteria are limited to three categories.

flowchart TD
    A[CVE submitted] --> B{Priority assessment}
    B -->|Listed in CISA KEV| C[Enrichment within 1 day]
    B -->|Federal government software| D[Enrichment performed]
    B -->|EO 14028 critical software| E[Enrichment performed]
    B -->|None of the above| F[Listed in NVD only<br/>No enrichment]
    G[Unprocessed CVEs<br/>before March 1, 2026] --> H[Moved to Not Scheduled]

• CVEs listed in the CISA KEV catalog. These have confirmed exploitation in real attacks and will be enriched within one day
• CVEs for software products used by the federal government
• CVEs for software classified as “critical” under Executive Order 14028

The CISA KEV (Known Exploited Vulnerabilities) catalog is a list of vulnerabilities confirmed to have been exploited in actual attacks.
It serves as the basis for mandating patch application by federal agencies.
Executive Order 14028, issued by the Biden administration in 2021, established supply chain security standards for software used by the federal government.

CVEs that don’t fall into the three categories above will still be listed in NVD, but NIST won’t enrich them.
Scores and descriptions provided by the submitter will remain as-is.

Additionally, CVEs submitted before March 1, 2026, that were still unprocessed have been bulk-moved to the “Not Scheduled” category.
NIST itself acknowledges it “may not catch every potentially high-impact CVE.”

How It Got to This Point

21 Staff vs. Exponential Submission Growth

NVD has 21 staff members. This number hasn’t increased in years.

Period	Situation
2024	Staff cuts and budget reductions led to a crisis where 90% of submitted CVEs went unenriched
2025	NIST promised to clear the backlog and enriched 42,000 CVEs (a record, up 45% year-over-year)
2026 Q1	Submissions up roughly 33% compared to Q1 2025. Even the record processing pace can’t keep up

Even after achieving record throughput in 2025, submissions kept growing faster.

The Flood from AI-Driven Vulnerability Discovery

AI-powered code review tools have democratized vulnerability discovery, and the result is a flood of CVE submissions including minor bugs.
Issues that a human researcher wouldn’t bother reporting are now being mechanically detected and submitted by tools, causing a surge of CVEs flowing into NVD.
There’s also growing concern about autonomous systems capable of discovering and exploiting vulnerabilities without human intervention.

Bugcrowd’s Trey Ford puts it this way:

What has actually determined remediation priority is not database metadata but real-world exploitability. That requires human researchers continuously testing from an attacker’s perspective against production environments.

The Broader CVE Ecosystem in Turmoil

NVD’s policy shift isn’t an isolated event.
Since 2025, the entire infrastructure supporting the CVE program has been shaking.

April 2025: MITRE CVE Contract Expiration Crisis

On April 15, 2025, MITRE Vice President Yosry Barsoum published a letter warning that the CVE program’s operating contract would expire the following day.
The CVE program had been operated by MITRE with US government funding for 25 years and underpins cybersecurity worldwide.

Behind this was DOGE’s (Department of Government Efficiency) mass termination of federal contracts.
Between late January and March 2025, 11 federal contracts with MITRE (totaling $28.5 million) were terminated and 442 layoffs were announced.
The CVE contract itself was a separate contract with CISA (under DHS), but CISA was also facing budget and staffing cuts, making renewal uncertain.

Ultimately, CISA exercised a contract option period for an 11-month extension.
The post-extension expiration date is March 16, 2026, with no public information about subsequent renewal.

CVE Foundation Established

The day after the expiration crisis, on April 16, 2025, the CVE Foundation announced its establishment.
Led by longtime CVE Board members, it’s a nonprofit organization aiming to break the dependency on the US government as a single funding source.
Private companies and four non-US governments expressed support, with a target of full operations by December 2025.

However, former CISA Director Jen Easterly criticized the move as a conflict of interest, noting that “CVE Board members built a separate organization in secret while still serving on the current program’s steering committee.”

EU GCVE

In response to the April 2025 crisis, the EU developed its own “Global CVE Allocation System (GCVE)” and made it publicly available in January 2026.
It’s a decentralized vulnerability identifier allocation model with participation from Germany’s BSI, France’s ANSSI, and others, aimed at reducing the US-centric concentration.

Timeline

Date	Event
2024	NVD crisis: 90% of submitted CVEs unenriched
Jan–Mar 2025	DOGE terminates 11 federal contracts with MITRE
April 15, 2025	MITRE warns of CVE contract expiration
April 15, 2025 (evening)	CISA decides on 11-month extension
April 16, 2025	CVE Foundation announces establishment
2025	NVD enriches 42,000 CVEs (all-time record)
January 2026	EU GCVE goes public
March 16, 2026	CISA-MITRE extension contract expiration date
April 15, 2026	NIST announces NVD priority triage system

Practical Impact

Organizations using NVD CVSS scores for patch management will develop blind spots as more CVEs go unenriched.

• CVEs outside the CISA KEV, federal software, and EO 14028 critical software categories will only have submitter self-reported scores
• Unprocessed CVEs from before March 1, 2026, have already been moved to “Not Scheduled”
• You can email NIST to request enrichment for specific CVEs, but there’s no guarantee of a response

The risk of depending solely on NVD has materialized, and organizations now need to combine multiple vulnerability intelligence sources.
CISA KEV catalog, vendor-specific advisories, OSV (Open Source Vulnerabilities), GitHub Security Advisories — the right source depends on the use case.

Below is a comparison of major vulnerability intelligence sources and their characteristics.

Source	Coverage	Characteristics
NIST NVD (traditional)	All CVEs	CVSS scores and CPE assignment. Now limited to 3 categories
CISA KEV	Confirmed exploited only	Mandatory patching for federal agencies. Most reliable “act now” list
OSV	OSS vulnerabilities	Strong ecosystem-specific mapping (npm, PyPI, etc.)
GitHub Security Advisories	OSS on GitHub	Automated detection via Dependabot
Vendor advisories	Own products only	Fastest primary source. May lack standard identifiers like CPE
EU GCVE	Early allocation stage	Decentralized ID allocation. Enrichment depends on each GNA (GCVE Numbering Authority)

---

The CISA-MITRE extension contract expired on March 16, 2026, with no public word yet on renewal.