NIST cuts the enrichment of CVE to the avalanche of vulnerabilities: only priority ones will receive detailed context

The American standards agency, the NIST National Vulnerability Database (NVD), just cut the scope of what you consider "enrichment" of vulnerabilities. The measure responds to an avalanche of reports: the amount of CVE (Common Vulnerabilities and Exposures) that come to be cataloged has grown in an explosive way in recent years, and NIST admits that it can no longer process each with the same level of detail.

Central change is simple but significant: NIST will continue to list all EQs but will only add enrichment information to those that meet specific priority criteria. Vulnerabilities that do not fall within this framework will appear as "Not Scheduled" in the database, that is, they will be registered but will not receive the extension of context, metrics and analysis that so far many security teams took for granted.

The conditions that NIST has established to prioritize enrichment - effective since 15 April 2026 - focus on the possible impact and actual exposure. The EQs included in the catalogue of Known Exploited Vulnerabilities (KEV) No. CISA, the vulnerabilities in software used by the US federal government and those considered "critical software" as defined by the Executive Order 14028. The latter category includes programmes that operate with high or managed privileges, manage access to sensitive networks or resources, control data or industrial operations, or operate outside normal confidence limits with privileged access capacity.

It is important to note that the suspended EQs for enrichment do not disappear: they are still available in the database. Those who believe that an unscheduled vulnerability is of high impact can call for its reassessment sending a mail to nvd @ nist.gov; NIST will review and, if appropriate, schedule enrichment.

The operational motive behind all this is no less. NIST details that the volume of shipments has increased: between 2020 and 2025 the number of CVE received increased by around 263%, and in 2025 the agency added enrichment to approximately 42,000 entries, a figure well above previous years. In addition, the first months of 2026 show an even greater pace of new notifications. This pressure has forced the agency to decide where to apply human and technical resources to maximize systemic protection.

In addition to the filter per priority, NIST has introduced operational adjustments that change the way the information is presented and updated. The organisation will no longer routinely generate a separate severity score if the CVE Numbing Authority (CNA) has already published its own rating. The modified CVE will only be reanalysed if the change has a material impact on enrichment data, and have moved to the state of "Not Scheduled" all unenriched entries with the date of publication prior to 1 March 2026 (except those in the KEV catalogue). NIST has also updated the status tags and its Dashboard to reflect these transitions in real time.

The news has generated reactions found in the industry. Researchers of security companies stress that the decision was predictable towards a risk-based prioritization a practical step back against the impossibility of maintaining a comprehensive manual enrichment. From VulnCheck It is noted that while NIST's transparency helps to set expectations, the movement leaves organizations that are exclusively dependent on NVD with less clear routes to obtain enriched analysis of many vulnerabilities. According to industry-shared data, there are still thousands of 2025 failures without an assigned CVSS score.

For other experts, the measure marks the end of an era in which a single repository managed by the government was sufficient to assess the risk area. Security officials have pointed out that the new reality requires organizations to adopt more proactive and threat-oriented approaches: priority must be given to what is really being exploited in the real world, to follow lists such as the KEV and to set up in exploitative metrics. Companies like Contre Security have commented that this change interrupts inherited audit flows but, at the same time, promotes an operational maturity where a actionable subset of curated data is preferred against a complete and unabridged file.

What does this mean for security teams and administrators? In practice, the transition recommends strengthening internal capacities: to know the asset inventory well, to automate the ingestion of real-operation feeds (such as KEV), to integrate threat intelligence into priority processes and to ensure that the tools themselves take advantage of real-time exploitative scores and metrics. It is also appropriate to maintain direct channels with software providers and CVE numbering authorities to receive early warnings and patches.

Ultimately, the NIST decision highlights a clear lesson from the current environment: the number of vulnerabilities grows at a rate that makes manual and uniform treatment impossible. The focus moves from completeness to operational effectiveness by selecting resources to mitigate what threatens the ecosystem as a whole. In order to defend themselves, organizations will have to accelerate their step towards automation, orchestration and collaboration with external intelligence sources, because what defenders do not prioritize will, no doubt, be an attacker.

To follow official updates and consult new vulnerabilities states, the starting point is NVD itself in https: / / nvd.nist.gov / the KEV catalogue of the CISA. The framework guide on critical software and the intention of prioritization are in the executive text published by the White House in relation to the Executive Order 14028 which continues to guide many of these public policy decisions.