NIST’s new NVD approach is a logical step in managing the flood of CVEs. But by prioritising government software, the private sector risks being left without the information it needs.
| 263%
CVE SUBMISSION GROWTH 2020–2025 |
42,000
CVEs ENRICHED IN 2025 — STILL NOT ENOUGH |
1%
OF ALL CVEs ACTUALLY EXPLOITED IN THE WILD |
It should have happened a long time ago. After years of a swelling tide of vulnerability disclosures — a surge of 263 percent in CVE submissions between 2020 and 2025 — the National Institute of Standards and Technology has finally made a decisive move. From April 15, 2026, NIST will only enrich CVEs that meet specific prioritisation criteria: vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalogue, software used within the US federal government, and systems designated as critical under Executive Order 14028. All other submissions will still appear in the National Vulnerability Database (NVD), but will be labelled “Not Scheduled.” That is bureaucratic language for: don’t hold your breath.
As a security professional, I understand the rationale. Our industry has long suffered from what I call “signal-noise overload”: an avalanche of data to analyse, the vast majority of which has no direct relevance to the systems we actually protect. Research from VulnCheck showed that of the more than 40,000 newly published vulnerabilities catalogued last year, only 1 percent — just 422 CVEs — were actively exploited in the wild. Focusing on what genuinely matters is therefore entirely defensible.
“Vulnerabilities are being published, but not prioritised. That does not make life easier for defenders.”
And yet, something is wrong. Quite fundamentally so.
The paradox of transparency without context
NIST has chosen to keep publishing all CVEs, but will no longer routinely enrich them with CVSS scores, affected software configurations, or additional context. The result is an awkward middle ground: vulnerabilities are disclosed, but without the guidance security teams need to know what to do with them. That is transparency in its most hollow form.
Imagine a doctor telling a patient that something is wrong, but refusing to say how serious it is, which organ is affected, or what the treatment plan looks like. “Feel free to email us if you’d like to know more.” That is exactly how this feels for the thousands of organisations that relied on the NVD as their primary, authoritative source for patch prioritisation.
Small and medium-sized enterprises, without a dedicated security operations centre or expensive threat intelligence subscriptions, are hit hardest. They depended on the NVD as a free anchor. That anchor has now come loose.
Government first — what about everyone else?
The second problem strikes at a fundamental difference between the digital reality of government agencies and that of businesses and private individuals. NIST’s priorities make sense from a national security perspective: you protect critical state infrastructure first. But the software environments of a healthcare provider, a manufacturing company, or a small business bear little resemblance to the IT landscape of the US federal government.
Microsoft 365, Google Workspace, widely-used CRM platforms, industrial control systems in manufacturing — many of these do not fall under the definition of “critical software” as defined in Executive Order 14028. A vulnerability in a widely deployed cloud application used by SMEs could sit untouched in the “Not Scheduled” category for months, while attackers are already actively exploiting it.
Michelangelo Sidagni, CTO at NopSec, put it aptly: NIST is effectively delegating prioritisation to CISA, but CISA’s KEV catalogue is deliberately conservative. Comparative analysis shows that KEV currently lists 1,559 vulnerabilities, while VulnDB tracks over 7,000 with known exploitation. Thousands of dangerous flaws therefore fall outside both KEV and the new NVD enrichment process. For an attacker, that distinction is irrelevant.
The end of a single source of truth
The broader context deepens the concern. The CVE Programme run by MITRE — the very foundation on which the NVD is built — narrowly escaped collapse last year when its federal funding contract was about to expire. CISA stepped in at the last moment, but the fragility of this infrastructure has been laid bare. Meanwhile, the EU is developing its own European Vulnerability Database (EUVD), though it is still in its early stages. And the explosive growth in AI-driven vulnerability discovery — FIRST forecasts a record 50,000 new CVEs in 2026 — promises to make things considerably worse.
The era of a single reliable, public source of truth for vulnerability information is definitively over. Organisations that had not yet grasped this are now confronted with that reality head-on.
What needs to happen?
The criticism of NIST is justified, but realistically the agency had little choice. With submissions breaking new records every quarter and analytical capacity fundamentally unable to keep pace, a change of course was unavoidable. The direction — prioritising based on genuine risk — is in principle the right one.
But the implementation needs refinement. First: the prioritisation criteria are too narrowly focused on the government context. A broader definition of “high impact” — one that also accounts for prevalence across commercial software — would better reflect the reality of the private sector. Second: the “email us if you want enrichment” model is unscalable and creates inequality. Larger organisations know how and where to make their case; smaller ones do not.
Third, and perhaps most urgently: the industry must stop relying on a single public database as its primary line of defence. Diversifying sources — commercial threat intelligence, sector-specific ISACs, open-source alternatives — is not a luxury but a necessity. Security professionals who already knew this will navigate this transition. The rest have just received a wake-up call.
The flood of irrelevant data was always the problem. NIST has now officially acknowledged that. The question is whether the solution they have chosen protects the right people — or only those with the right government contracts.
SOURCES
- NIST — NVD Updates NVD Operations to Address Record CVE Growth (April 15, 2026)
- Help Net Security — NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward (April 16, 2026)
- CyberScoop — NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities (April 17, 2026)
- Socket.dev — NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Surges (April 2026)
- Infosecurity Magazine — NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities (April 2026)
- SecureWorld — The NVD Course Correction: Navigating NIST’s Strategic Pivot for 2026 (April 2026)
- Dark Reading — NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities (April 2026)
- The Hacker News — NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions (April 2026)
