When a software vulnerability is discovered, it gets assigned a CVE (Common Vulnerabilities and Exposures) ID by a CVE Numbering Authority, or CNA. Think of CNAs as the people who stamp and file the paperwork: software vendors, research organizations, and security firms that are authorized to officially name and record vulnerabilities.
Once a CVE exists, NIST’s National Vulnerability Database (NVD) takes over and enriches it. That enrichment is the valuable part: severity scores (CVSS), affected product lists, and references that help security teams decide what to patch first. The NVD is essentially the annotated, searchable version of the CVE list that the security industry has relied on for over two decades.
Big Backlog, Thanks to AI
Starting in early 2024, the NVD fell behind on enriching CVEs. Badly behind. The volume of submissions had simply outpaced what the team could process. NIST worked faster than ever and enriched nearly 42,000 CVEs in 2025, which was 45% more than any prior year. It still was not enough.
CVE submissions increased 263% between 2020 and 2025. Submissions in the first three months of 2026 are already running about a third higher than the same period last year. The trend is not slowing down. NIST had to make a choice: keep pretending they could enrich everything, or be transparent about what they can actually handle.
What Changes Today
As of April 15, 2026, NIST is moving to a risk-based prioritization model. Not every CVE will get the full enrichment treatment automatically. Instead, NIST will focus its resources on three categories:
- CVEs that appear in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, with a goal to enrich these within one business day
- CVEs affecting software used within the federal government
- CVEs for software defined as “critical” under Executive Order 14028
Everything else gets filed under a new status called Not Scheduled. The CVE still exists in the NVD, it just will not be enriched unless someone requests it. You can email nvd@nist.gov to request enrichment of specific unscheduled vulnerabilities, and NIST will review those as resources allow.
On top of that, NIST will no longer routinely provide its own separate severity score for CVEs where the submitting CNA already included one. And they will only reanalyze previously enriched CVEs if a modification materially changes the data, rather than reviewing all updates automatically.
Hello KEV, *Bookmarked*
If there is one practical takeaway from all of this, it is this: CISA’s Known Exploited Vulnerabilities Catalog has effectively become the highest-priority enrichment queue in the NVD. NIST is committing to enrich KEV-listed vulnerabilities within one business day of receipt.
Bookmark this: CISA Known Exploited Vulnerabilities (KEV) Catalog
The KEV Catalog lists vulnerabilities that have confirmed, real-world exploitation. That makes it inherently actionable, and now it is also the thing NIST will process fastest. For any security team trying to triage what to patch first, that alignment is useful. If a CVE is on the KEV list, NIST treats it as top priority. If your team is not already using the KEV Catalog to guide patching decisions, now is the time to start.
Thoughts
NIST is not shrinking the NVD. All CVEs still get listed. But “listed” and “enriched” are no longer the same thing. If a CVE is not on the KEV Catalog, not used by the federal government, and not classified as critical software, it may sit unenriched for a while. Build your workflows accordingly.
The long-term goal is to develop automated enrichment systems that can handle the volume without relying entirely on manual analysis. But that work takes time. In the meantime, NIST is being upfront about the triage they are already doing. That kind of transparency, even when the news is not great, is actually a good sign for the long-term health of the program.
Source: NIST — NVD Updates NVD Operations to Address Record CVE Growth