Overview
- NIST, which announced the shift Wednesday, will enrich only CVEs in CISA’s Known Exploited Vulnerabilities catalog, software used by the federal government, or EO 14028 critical software with a goal to process KEV within one business day.
- Backlogged entries with an NVD publish date before March 1st, 2026 now carry a “Not Scheduled” label, and users can request enrichment or reanalysis by emailing the NVD help address.
- The database will not add a separate CVSS severity score when the submitting CVE Numbering Authority provided one, and it will revisit entries only if a modification materially changes prior enrichment data.
- NIST attributes the shift to scale stress, citing a 263% jump in CVE submissions since 2020, nearly 42,000 enrichments in 2025, and a one‑third rise in submissions in the first quarter of 2026.
- Security experts say the move was expected and will push teams to use sources like KEV and exploitability metrics, with AI‑driven discovery inflating CVE volume and accelerating the need for automated prioritization.