🎯Basically, NIST won't update older security flaws because there are too many new ones to handle.
What Happened
On April 15, 2026, at VulnCon26, NIST announced a significant operational change regarding its National Vulnerability Database (NVD). Due to a record surge in reported vulnerabilities, the NVD will no longer enrich vulnerabilities reported before March 1, 2026. This decision stems from an overwhelming backlog of Common Vulnerabilities and Exposures (CVEs) that the NVD cannot keep up with.
Who's Affected
This change directly impacts organizations and individuals relying on the NVD for vulnerability information. Specifically, it affects those who monitor or respond to vulnerabilities in software, especially if they involve federal government systems or critical software as defined by Executive Order 14028.
What Data Was Exposed
While all submitted CVEs will still be added to the NVD, those that do not meet the new criteria will be categorized as ‘Not Scheduled’. This means they will not receive enrichment, which includes important details and risk assessments necessary for effective vulnerability management.
What You Should Do
Organizations should prioritize monitoring the NVD for newly enriched vulnerabilities, particularly those related to critical software. Users can request enrichment of unscheduled CVEs by contacting the NVD directly. It's essential to stay informed about the vulnerabilities that affect your systems, especially as the volume of CVEs continues to rise.
The Flaw
The NVD's operational adjustments are a response to a 263% increase in CVE submissions from 2020 to 2025. NIST officials noted that submissions in the first quarter of 2026 are already one-third higher than the same period last year.
What's at Risk
With the NVD focusing on critical vulnerabilities, there is a risk that less critical vulnerabilities may not receive timely attention. This could leave systems exposed to threats that could have been mitigated with proper enrichment and analysis.
Patch Status
NIST will prioritize enriching vulnerabilities found in software used by the federal government and those listed in the CISA's Known Exploited Vulnerabilities (KEV) list. Users should ensure they are aware of these prioritized vulnerabilities and apply necessary patches promptly.
Immediate Actions
This shift in NIST's approach underscores the growing challenges in vulnerability management as the number of reported flaws continues to escalate. Organizations must adapt to these changes to maintain robust security practices.
Containment
- 1.Monitor the NVD: Regularly check for updates on enriched vulnerabilities.
- 2.Request Enrichment: If you find an unscheduled CVE relevant to your systems, reach out to NVD for enrichment.
Remediation
🔒 Pro insight: NIST's shift to a risk-based approach may create gaps in vulnerability management for less critical flaws, impacting overall security posture.
