NIST Cuts CVE Enrichment After 263% Surge

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- NIST will only enrich CVEs meeting three criteria (CISA KEV catalog entries, federal government software, and critical software under Executive Order 14028) effective April 15, 2026, driven by a 263% surge in submissions between 2020 and 2025 and Q1 2026 volumes nearly one-third higher year-over-year.
- NIST also moved all unenriched CVEs in backlog with an NVD publish date before March 1, 2026 into the "Not Scheduled" category, stopped providing duplicate severity scores when the CVE Numbering Authority has already supplied one, and now lets users email nvd@nist.gov to request enrichment for high-impact unscheduled CVEs.
- NIST enriched nearly 42,000 CVEs in 2025 (45% more than any prior year), yet VulnCheck data shows roughly 10,000 2025 vulnerabilities still lack a CVSS score — NIST enriched approximately 14,000 'CVE-2025' vulnerabilities, or about 32% of the 2025 CVE population.
- Caitlin Condon of VulnCheck said the move reflects NIST's shift to a "risk-based" prioritization model but warned that a significant portion of vulnerabilities now have "no clear path to enrichment" for organizations relying solely on NIST as their authoritative data source.
- David Lindner of Contrast Security called it the end of an era of relying on a single government-managed database, urging defenders to prioritize CISA's KEV list and exploitability metrics over raw CVE volume and pivot to threat-intelligence-driven risk management.
Why it matters: Organizations relying on NIST as their primary or sole source of enriched vulnerability data will now see the majority of new CVEs go unanalyzed by the government — VulnCheck estimates NIST enriched just 32% of 2025's CVE population — pushing security teams toward commercial feeds and exploitability-based triage to avoid blind spots.



