What if the vulnerability database you trust to prioritize your patching just stopped doing its job?
On April 15, 2026, NIST announced a seismic shift in how the National Vulnerability Database (NVD) operates. The agency that has spent two decades scoring, validating, and enriching CVE records is now only doing so for a tiny fraction of new submissions. Everything else gets a vendor-assigned score and a label that says “Not Scheduled.”
This is not a glitch. It is a policy. And it changes how every security team on the planet should think about vulnerability management.
The Numbers That Broke the System
NIST enriched more than 42,000 CVEs in 2025, an unprecedented workload. But submissions in early 2026 are running 263% higher than the same period a year earlier. The pipeline is not just full, it is overflowing.
The agency tried. It asked Congress for supplemental funding in 2025. It got partial support that did not come close to matching submission growth. The result? A backlog that has been visible since early 2024 finally became official policy.
Starting April 15, 2026, NIST will only enrich CVEs that meet one of three criteria:
- The vulnerability is already on CISA’s Known Exploited Vulnerabilities (KEV) catalog
- The vulnerability affects U.S. federal government software
- The vulnerability involves “critical software” as defined by Executive Order 14028
Everything else, which is to say the overwhelming majority, gets whatever score the CVE Numbering Authority (CNA) assigned and nothing more.
Why CNA-Only Scoring Is a Problem
There are more than 400 CVE Numbering Authorities. Most of them are software vendors scoring their own products. The conflict of interest is not hypothetical.
Vendors routinely underrate severity to avoid reputational damage. Or overrate it to pressure customers into upgrades. They miscategorize affected components. They leave out Common Platform Enumeration (CPE) entries that let scanners match CVEs to installed software versions.
NIST’s enrichment staff historically caught these errors. They rescored inconsistent CVSS submissions, normalized product identifiers, and added the metadata that made CVEs actionable. Without that second pass, a CVE’s published score becomes whatever the reporting vendor felt like putting on it.
For defenders running automated patch prioritization keyed to CVSS thresholds, this introduces variance that cannot be resolved without manual review. The tool that was supposed to reduce manual review now produces data that requires it.
Three Forces Driving the Overload
The 263% spike is not a temporary blip. It reflects three structural shifts in the industry:
Automation at scale. Researchers now run AI-assisted fuzzers and static analysis across the open source ecosystem. Anthropic’s team documented finding a 27-year-old vulnerability in 1,000 tries using coordinated model calls. When one researcher can file dozens of valid CVEs per week, the pipeline fills faster than any human team can empty it.
CNA expansion. MITRE’s CNA count grew from about 200 in 2022 to more than 400 by 2026. Each new CNA adds submission volume. None of them add enrichment throughput at NIST.
Flat funding. NIST’s information security funding has been flat or declining in real terms since 2020. Planning for sustained hiring was impossible under continuing resolution cycles.
Who Gets Hit Hardest
Commercial vulnerability scanners, Tenable, Qualys, Rapid7, Wiz, and their peers, consume NVD feeds as a primary input. They layer their own research on top, but the foundation is NIST’s enrichment. The same is true for open-source scanners like Trivy, Grype, and OSV-Scanner, and for every GRC tool that maps CVEs to compliance frameworks.
Compliance regimes referencing CVSS score thresholds, such as PCI DSS’s requirement that “high” severity findings be remediated within 30 days, depend on NIST’s scoring being consistent and trustworthy. If the authoritative score for most new CVEs is whatever the vendor chose, those compliance timelines become unstable. Two identical vulnerabilities can carry wildly different CVSS numbers depending on who submitted them.
Incident responders pulling CVE context during active investigations will feel the gap too. The CPE strings NIST added are what let scanners correlate “we have this vulnerability” with “this specific product version is installed on this host.” Without them, analysts end up reading vendor advisories directly and doing mapping by hand.
What Defenders Should Do Now
- Treat non-enriched CVEs as provisional. If the NVD entry says “Not Scheduled,” the CVSS score is vendor-provided and unvalidated. Factor that into your risk calculations.
- Cross-reference multiple sources. CISA’s KEV catalog, EPSS scores from FIRST, and vendor-specific threat intelligence all provide additional context that can help compensate for missing NIST enrichment.
- Invest in your own analysis capability. If your vulnerability management program is fully automated around NVD feeds, you now have a gap that requires human review for anything that looks unusual.
- Track which CNAs you trust. Not all 400+ CNAs score with the same rigor. Over time, you will learn which vendors consistently understate or overstate severity.
The Bottom Line
The NVD was never perfect, but it was the closest thing the industry had to a universal source of truth. That truth is now conditional. For critical vulnerabilities, NIST still does the work. For everything else, you are trusting the vendor that discovered the bug to rate its own severity honestly and accurately.
That trust model has never looked more fragile. And with AI-assisted vulnerability discovery accelerating submission rates, the gap between what gets enriched and what gets ignored will only widen.
The CVE system is not dead. But it is no longer enough. Security teams that do not adapt their processes to this new reality will be flying blind on the majority of new vulnerabilities hitting their scanners.
Welcome to the triage queue.
Stay sharp. The CVE backlog is not going away, and neither is the need to sort signal from noise.