What happens when a database charged with making tens of thousands of software flaws intelligible decides it cannot keep up? NIST’s National Vulnerability Database (NVD) has announced a hard prioritization: enrichment work will focus on new and actively exploited vulnerabilities, leaving pre-March 2026 entries deprioritized as the agency responds to an unprecedented surge in reported CVEs.
Background: why enrichment matters and what changed
The NVD provides enrichment for reported Common Vulnerabilities and Exposures (CVEs). According to the change announced by NIST, the database will now prioritize enrichment for new and exploited flaws in response to a record growth in the number of reported CVEs. As a result of that reprioritization, enrichment for vulnerabilities reported before March 2026 will be dropped from the immediate work queue.
Current situation: a triage decision
Faced with a rapid increase in incoming CVE reports, NIST has shifted its operational focus. The immediate consequence is that enrichment resources will be concentrated on recently disclosed vulnerabilities and those known to be exploited. Pre-March 2026 vulnerabilities remain listed in the NVD, but the announced change means they will not receive the same priority for enrichment moving forward.
Why this matters: operational and strategic implications
This reprioritization is a practical response to volume: NIST frames the change as necessary to address the record growth of reported CVEs. The shift affects several stakeholder groups in different ways:
- Technologists: Firms and security teams that rely on enriched NVD data for prioritization and mitigation may need to adjust workflows if older CVEs do not receive timely enrichment.
- Policymakers and planners: The decision highlights resource limits within critical vulnerability-management infrastructure and may prompt reassessment of how enrichment capacity is funded and organized.
- Users and organizations: Entities depending on enriched metadata to gauge severity and remediation steps could find visibility reduced for pre-March-2026 vulnerabilities.
- Adversaries: Prioritizing newly reported and actively exploited flaws concentrates defensive attention where immediate risk is visible, potentially leaving older, un-enriched entries less scrutinized.
Looking ahead: trade-offs and risks
NIST’s change is explicit about its motivation — to cope with record CVE reporting by directing limited enrichment capacity toward the most time-sensitive threats. That triage buys faster, deeper coverage of new and exploited flaws but creates a backlog of older entries that will not receive the same enrichment attention. The trade-off is straightforward: more effective defense at the front lines versus reduced contextual detail for historical or lower-profile vulnerabilities.
Will focusing scarce enrichment resources on the immediate threat stream stabilize risk across the ecosystem, or will a growing set of under-enriched, pre-March-2026 CVEs become a blind spot? The answer will matter to every organization that treats the NVD as a cornerstone of vulnerability management.
https://www.infosecurity-magazine.com/news/nvd-enrichment-premarch-2026/




