The National Institute of Standards and Technology (NIST) has announced a significant change to its National Vulnerability Database (NVD) enrichment policy, prioritizing only certain types of Common Vulnerabilities and Exposures (CVEs). As of April 15, 2026, NIST will no longer enrich all CVEs, leaving a backlog of nearly 300,000 unenriched vulnerabilities. This shift is expected to have far-reaching implications for organizations that rely on the NVD for vulnerability metrics.
What Happened
NIST's decision was driven by the skyrocketing number of published CVEs, which broke the annual record again in 2025 with over 40,000 entries. The increasing volume has put a strain on NIST's resources, leading to a significant backlog of unenriched vulnerabilities. To address this issue, NIST will now prioritize only CVEs that meet specific criteria, including those appearing in CISA's Known Exploited Vulnerabilities (KEV) Catalog, software used within the federal government, and critical software as defined by Executive Order 14028.
The change is expected to affect organizations that depend entirely or primarily on the NVD for vulnerability metrics. This includes companies that use the Common Platform Enumeration (CPE) enrichment included in the NVD records, which provides standardized information on version ranges to flag impacted products. With the shift in policy, these organizations will no longer have access to authoritative CVSS scores and other critical metadata.
Background and Context
The NVD has long been a crucial resource for vulnerability management, providing a centralized database of known vulnerabilities and their associated metrics. However, as the number of published CVEs continues to grow, NIST has struggled to keep up with enrichment efforts. The decision to prioritize only certain types of CVEs is an attempt to address this issue, but it also highlights the limitations of relying on a single source for vulnerability data.
Recorded Future notes that the distinction between CVSS scores and attacker behavior signals has always existed. While CVSS was designed to characterize the technical properties of a vulnerability, it was not intended as a primary tool for patch prioritization. Instead, Recorded Future emphasizes the importance of capturing attacker behavior in real-time, which can provide more accurate and relevant intelligence for vulnerability management.
Why It Matters to the Industry
The shift in NIST's enrichment policy has significant implications for organizations that rely on the NVD for vulnerability metrics. As AI accelerates the pace of vulnerability discovery and disclosure, the need for high-fidelity intelligence is becoming increasingly critical. Without access to authoritative CVSS scores and other critical metadata, organizations may struggle to prioritize remediation efforts effectively.
Tenable customers are unaffected by this change, as they do not depend on the NVD for scoring metrics or developing checks for vulnerabilities. However, other organizations that rely on the NVD will need to adapt to the new policy and explore alternative sources of vulnerability data.
What Comes Next
As organizations navigate this shift in enrichment policy, they will need to reassess their vulnerability management workflows and consider alternative sources of intelligence. This may involve developing internal databases or aggregating data from multiple sources to ensure comprehensive coverage.
Recorded Future emphasizes the importance of contextual intelligence in vulnerability management, which can provide more accurate and relevant insights into attacker behavior. By focusing on real-time signals rather than relying solely on CVSS scores, organizations can better prioritize remediation efforts and stay ahead of emerging threats.
Key Facts
- NIST will no longer enrich all CVEs in the National Vulnerability Database (NVD) as of April 15, 2026.
- The decision is driven by the skyrocketing number of published CVEs, which broke the annual record again in 2025 with over 40,000 entries.
- NIST will prioritize only CVEs that meet specific criteria, including those appearing in CISA's Known Exploited Vulnerabilities (KEV) Catalog and software used within the federal government.
- Organizations that rely on the NVD for vulnerability metrics may struggle to adapt to this change and may need to explore alternative sources of intelligence.
- Tenable customers are unaffected by this change, as they do not depend on the NVD for scoring metrics or developing checks for vulnerabilities.