The NIST vulnerability database has hit a breaking point. After cataloging nearly 42,000 CVEs in 2025 alone, NIST announced on April 15, 2026 that it can no longer provide severity scores and detailed analysis for every disclosed vulnerability. Instead, the agency is shifting to a risk-based triage system that prioritizes only the highest-impact threats, marking a fundamental change in how the National Vulnerability Database operates.
Key Takeaways
- NIST enriched 42,000 CVEs in 2025, with new submissions in 2026 tracking even higher
- CVE volume has surged 263% since 2020, driven by AI-powered vulnerability-detection tools
- Starting April 15, 2026, NIST will only analyze CVEs meeting three criteria: CISA exploitation, federal software use, or critical software designations
- Unenriched CVEs will be marked “lowest priority” or “Not Scheduled” but remain listed in the NVD
- Organizations must now rely on multiple sources—vendors, CISA KEV list, and CNAs—instead of NIST as the sole authority
Why the NIST Vulnerability Database Can No Longer Keep Up
The surge is staggering. Between 2020 and 2025, newly reported vulnerabilities increased 263%, a growth rate NIST’s existing staffing and processes simply cannot sustain. The root cause is automation: AI-powered vulnerability-detection tools are flooding disclosure channels with an unprecedented volume of CVEs. Early 2026 submissions are already tracking higher than the same period in 2025, suggesting the trend will only accelerate.
This is not a new problem for NIST. The agency faced a funding lapse in early 2024 that temporarily halted metadata provision and created a massive backlog. Even with resources restored, the mathematical reality became clear: enriching every CVE—assigning severity scores, analyzing impact, and providing context—was becoming impossible. “They had to do something. NIST was woefully behind on classifying CVEs and would likely never have caught up,” according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.
The New NIST Vulnerability Database Triage System
Starting April 15, 2026, the NIST vulnerability database will prioritize enrichment for three categories of CVEs: those appearing in CISA’s Known Exploited Vulnerabilities Catalog (with a goal to enrich within one business day), vulnerabilities affecting federal government software, and vulnerabilities in critical software as defined by Executive Order 14028. All other CVEs will be listed in the NVD but marked “lowest priority” or “Not Scheduled,” meaning they receive no NIST enrichment.
NIST is also stopping its practice of assigning severity scores to CVEs that already have scores from submitting organizations, and it will only reevaluate modified CVEs if new information “materially impacts” the original analysis. The agency is pausing work on the pre-March 1 CVE backlog entirely, moving those entries to “Not Scheduled” status and promising to consider enriching them later using new criteria as resources allow.
The rationale is strategic: “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories,” NIST stated. The new system aims to focus resources on CVEs with “the greatest potential for widespread impact” and stabilize the NVD for long-term sustainability through automated systems and workflow enhancements.
What This Means for Security Teams
The shift marks a fundamental departure from how defenders have historically approached vulnerability management. For decades, the NIST vulnerability database served as the authoritative single source—organizations could reference it to understand CVE severity and context. That era is ending. “NIST’s decision to only prioritize high-impact vulnerabilities marks the end of an era where defenders could leverage a single government-managed database to assess security risks, forcing organizations to pivot to a proactive approach to risk management that’s driven by threat intelligence,” according to David Lindner, chief information security officer of Contrast Security.
In practice, this means security teams must now triangulate across multiple sources. They will rely on CVE Numbering Authorities (CNAs), vendors publishing their own vulnerability assessments, the CISA KEV list, and exploitability metrics instead of NIST as the sole reference. Industry and ad hoc coalitions are already poised to help fill the enrichment gap left by NIST’s changes. The broader vulnerability surge is real across the industry—Microsoft, for example, addressed 165 vulnerabilities in one monthly batch in 2025, its second-largest on record.
Is the NIST Vulnerability Database Still Useful?
Yes, but with caveats. The NIST vulnerability database will continue to list all disclosed CVEs—nothing will disappear from the public record. However, the depth of analysis will vary dramatically. CVEs meeting the three prioritization criteria will receive full enrichment and severity scoring. Everything else will carry minimal metadata. For organizations managing a large attack surface, this creates a two-tier system: well-analyzed critical threats and a long tail of CVEs requiring external research to assess risk.
Will NIST Ever Catch Up on the CVE Backlog?
NIST has not committed to a specific timeline. The agency is pausing backlog work and will “consider enriching” pre-March 1 CVEs later using new criteria “as resources allow”. This is diplomatic language for: it depends on funding and staffing. Caitlin Condon, vice president of security research at VulnCheck, noted that the announcement aligns with NIST’s earlier signals about moving toward risk-based prioritization, suggesting this shift was inevitable.
The NIST vulnerability database remains a foundational security resource, but it is no longer the complete answer to vulnerability assessment. Organizations must now build layered intelligence strategies, combining NIST data for prioritized threats with vendor advisories, threat feeds, and exploitation intelligence for everything else. The tidal wave of AI-driven disclosures has forced a reckoning: perfect coverage is impossible, so focus on impact instead.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
