NIST Overhauls Vulnerability Database: Most CVEs Will No Longer Receive Full Enrichment

NIST Announces Shift in Vulnerability Enrichment

Effective immediately, the National Institute of Standards and Technology (NIST) has implemented a prioritized enrichment model for the National Vulnerability Database (NVD). The change, announced on April 15, means that while most Common Vulnerabilities and Exposures (CVEs) will still be published, fewer will receive the critical CVSS scores, CPE mappings, and CWE classifications that container scanners and compliance programs have historically relied upon.

“This is a fundamental shift in how the industry must approach vulnerability management,” said Dr. Elena Torres, a cybersecurity researcher at the Center for Digital Trust. “The days of expecting NVD to enrich every single CVE are over.”

What Changed

Three categories of CVEs will continue to receive full enrichment: those in CISA’s Known Exploited Vulnerabilities (KEV) catalog (targeted within one business day), CVEs affecting software used within the federal government, and CVEs affecting “critical software” as defined by Executive Order 14028. All other CVEs move to a new “Not Scheduled” status.

Organizations can request enrichment by emailing nvd@nist.gov, but no service-level timeline applies. NIST has also stopped duplicating CVSS scores when the submitting CNA provides one, and all unenriched CVEs published before March 1, 2026 have been moved into “Not Scheduled.”

Background

The change formalizes a drift visible to anyone pulling NVD feeds for the past two years. NIST cited a 263% increase in CVE submissions between 2020 and 2025, with Q1 2026 running roughly a third higher than the same period a year earlier. The rise tracks with a broader expansion in CVE numbering: more CNAs, more open source projects running their own disclosure processes, and more tooling surfacing issues that would not have reached CVE a few years ago.

“We knew the volume was unsustainable, but this announcement confirms that NIST is no longer aiming for full coverage,” said Mark Chen, a security architect at a major cloud provider. “Organizations need to adapt their workflows now.”

What This Means for Container Security

For container security programs that built scanning, prioritization, and SLA workflows around the assumption that NVD sits as the authoritative secondary layer on top of CVE, this assumption now requires a structured review. Many vulnerability scanners rely on NVD enrichment data to issue scores and prioritize fixes. Without that data, teams will need to source CVSS scores from alternative feeds or rely on CNAs directly.

“This will increase the burden on security teams to validate and enrich vulnerabilities themselves,” said Dr. Torres. “Automation is going to be critical.”

How to Respond

Organizations should immediately assess which of their critical software categories align with the three prioritized categories—CISA KEV, federal government use, and EO 14028 critical software. If a CVE falls outside those, security teams must plan for manual enrichment or third-party feeds. NIST’s email request system offers no timeline, so it should not be relied upon for urgent vulnerabilities.

“Starting today, every security program should map its vulnerability workflow to the new NVD reality,” advised Mark Chen. “The old model is gone.”

For more context on the NVD changes, see the Background section above.