NIST enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year, the agency reports — yet even that pace could not keep up with a surging flow of submissions, prompting a sharp change in how the National Vulnerability Database will handle new entries.
NIST’s operational shift and the numbers behind it
On Apr. 15, NIST announced it will continue to list all CVEs in the National Vulnerability Database (NVD) but will immediately enrich only those that meet new prioritization criteria. The agency said CVE submissions “increased 263% between 2020 and 2025” and that CVE submissions in the first three months of 2026 were roughly one-third higher than the same period in 2025. NIST framed the change as a necessary risk-based response: “We are working faster than ever,” the statement reads, and the new approach is intended to let the program “focus on the most critical CVEs” while the agency develops “the automated systems and workflow enhancements required for long-term sustainability.”
The new prioritization rules: which CVEs get immediate enrichment
Under the policy effective Apr. 15, NIST will prioritize enrichment for three categories of CVEs:
- CVEs listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog;
- CVEs for software used by or within the federal government;
- CVEs for critical software as defined by Executive Order 14028.
All other CVEs submitted to the NVD will still be added to the database but will be classified as “Lowest Priority - not scheduled for immediate enrichment.”
Security researchers and industry voices — praise, concern, and a strategic pivot
Reaction from the security community mixed practical praise with pointed warnings. Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, described the shift as “a welcome transition from a Universal Vulnerability Library to a more refined Risk-Based Vulnerability Triage model.” At the same time, Dani warned of concrete operational impacts: tools that rely on the NVD’s Common Platform Enumeration (CPE) strings could fail to generate alerts if a critical CVE is not yet enriched, and individual organizations will bear the burden of determining severity and relevance.
Trey Ford, Chief Strategy and Trust Officer at Bugcrow, framed the move as acknowledgement of an old truth: “you cannot centralize vulnerability triage at this volume and expect it to hold.” Ford argued that real-world exploitability — not database metadata — drives remediation priority and that effective triage depends on human researchers “with adversarial instincts working continuously against live environments.” He said the “next generation of vulnerability programs will be built around that kind of active, distributed signal, not quarterly enrichment cycles.”
Vincenzo Iozzo, CEO and Co-Founder at SlashID, noted an influx of AI-generated vulnerability reports and said, “According to reports, last year alone, the number of reported vulnerabilities more than doubled.” Iozzo called the new NIST policy “sensible” given that trend and suggested that large language models may soon enable organizations to prioritize and contextualize vulnerabilities for their own environments.
Impacts on tools, vendors, and CNAs
Dani spelled out immediate operational risks: hardcoded tooling that expects CPE metadata from the NVD may miss alerts when that metadata is absent because an entry was not prioritized for enrichment. He also flagged a second gap: when CNAs (CVE Numbering Authorities) add metadata, that can offset the NVD’s narrowed enrichment, but there is a risk “where a vendor [is] downplaying a vulnerability in their product for PR purposes.” Dani added a broader cultural consequence — the loss of what he called a “neutral third-umpire,” a role NIST played when it enriched many CVEs.
What this means for technologists, federal buyers, and CNAs
- Technologists and security teams: Expect to shoulder more contextual triage work internally. Tools that depend on immediate NVD enrichment should be audited for false negatives where CPE data is missing.
- Federal procurement and government IT owners: CVEs tied to software used by or within the federal government remain prioritized for enrichment, but agencies should be prepared to validate and prioritize non-enriched CVEs locally.
- CNAs and vendors: The policy increases the importance of timely, detailed metadata from CVE Numbering Authorities; vendors will play a larger role in supplying the context NIST will not immediately provide.
NIST’s stated aim is to stabilize the NVD and free resources to build automation and workflow enhancements. Whether those investments will restore the breadth of enrichment or whether distributed, human-driven signals and vendor-supplied metadata will define remediation priorities remains to be seen. For now, the agency has traded universal immediacy for triage by priority — and, in doing so, shifted a substantial portion of the day-to-day judgment about what “matters” back to organizations, researchers, and the CVE authorities that know product architectures best.