NIST Overhauls Vulnerability Database: Most CVEs Will No Longer Get Full Enrichment

WASHINGTON—The National Institute of Standards and Technology (NIST) announced on April 15 that it will permanently scale back enrichment of the National Vulnerability Database (NVD), shifting to a prioritized model that leaves the vast majority of identified vulnerabilities without key scoring and classification data.

Under the new framework, only vulnerabilities in CISA's Known Exploited Vulnerabilities catalog, those impacting federal government software, or those tied to Executive Order 14028's “critical software” list will receive full CVSS scores, CPE mappings, and CWE classifications. All other CVEs will be assigned a “Not Scheduled” status, with no guarantee of enrichment.

“This is not a temporary measure—NIST has made clear it will not return to the days of full-coverage enrichment,” said Dr. Anna Chen, a cybersecurity researcher at the SANS Institute. “Organizations that built their entire vulnerability management pipeline around NVD as the authoritative source of scoring need to rethink that dependency.”

The change formalizes a trend visible for at least two years. NIST cited a 263% increase in CVE submissions from 2020 to 2025, with Q1 2026 submissions running roughly a third higher than the same quarter last year. The explosion in submissions—driven by more CNAs, more open-source disclosure processes, and more automated tooling—made full enrichment unsustainable.

Background

Since its inception, the NVD has served as the default secondary layer of enrichment for CVEs, adding severity scores, product mappings, and weakness classifications that container scanners, compliance programs, and SLAs depend on. But the growing volume overwhelmed NIST’s capacity.

On April 15, NIST formally ended the expectation of universal coverage. All unenriched CVEs published before March 1, 2026 have been moved to “Not Scheduled.” NIST also stopped duplicating CVSS scores when the submitting CNA provides its own—meaning scores will now come directly from the source, with no NIST cross-check.

Organizations can request enrichment by emailing nvd@nist.gov, but no service-level timeline applies. The change is immediate and permanent, according to NIST’s announcement.

What This Means

For container security programs, the shift undermines a foundational assumption: that every vulnerability in a container image would eventually carry a NVD-backed severity score and software identification. Without that enrichment, automated scanners lose context for prioritization, and compliance teams lack a standardized basis for SLAs.

“We can no longer assume every CVE will have a CVSS score or CPE mapping from NVD,” said Mark Torres, CISO of SecureOps, a container security firm. “Programs that rely on NVD as the single source of truth for vulnerability scoring will need to integrate alternative data feeds, such as CISA KEV, vendor advisories, or community-curated sources.”

The move pushes responsibility back to software vendors and open-source maintainers to provide accurate scores and metadata with their CVE submissions—something many have not done consistently. Container security teams should also evaluate whether their tools support enrichment from sources beyond NVD.

Background on the volume surge shows no sign of abating: the number of CVEs published in 2023 already dwarfed prior years, and 2024 is on track to exceed that. NIST’s decision is a practical response to a data deluge that shows no signs of slowing.

In the short term, expect more unenriched CVEs in scanner reports, longer delays for scoring on non-critical vulnerabilities, and increased reliance on manual triage. The long-term trajectory points toward a federated enrichment ecosystem, with multiple authoritative sources rather than a single NVD repository.