NIST to Limit Work on CVE Entries as Submissions Surge

The National Vulnerability Database (NVD) has long been the cornerstone of vulnerability management, cataloguing every reported CVE with detailed descriptions and severity metrics. However, the rapid proliferation of AI‑driven code‑review tools and automated bug‑finding scripts has flooded the system with submissions, many of which are low‑impact. In 2025 NIST enriched nearly 42,000 CVEs—a 45% increase over previous years—yet the surge continued, with Q1 2026 submissions up roughly one‑third YoY. This volume outpaces the agency’s static staff of 21, creating a backlog that threatens the timeliness and reliability of the database.

To address the bottleneck, NIST introduced a risk‑based enrichment policy that limits detailed updates to CVEs appearing in the Cybersecurity and Infrastructure Security Agency’s (CISA) known‑exploited‑vulnerabilities catalog, as well as those classified as critical or used by federal agencies. These prioritized entries will receive enrichment within a day of CISA notification, while other CVEs will remain listed without new data. The agency also announced that it will no longer generate its own severity scores, instead adopting the scores supplied by submitters. Backlogged CVEs published before March 1, 2026 are being re‑categorized as “Not Scheduled,” though high‑impact cases can still be manually requested for enrichment.

The policy shift underscores a broader industry trend: moving away from exhaustive central triage toward distributed, exploit‑driven signals. Stakeholders warn that without sufficient funding—Congress has been urged to treat the NVD as critical infrastructure—the database could lose its status as a trusted reference. NIST’s focus on automation and workflow enhancements aims to sustain the NVD’s relevance, but the move also places greater responsibility on vendors and security teams to prioritize remediation based on real‑world exploitability rather than database metadata alone. This evolution will likely reshape vulnerability management practices across both public and private sectors.