On 15 April 2026, NIST quietly made one of the most consequential changes to vulnerability management in years. The National Vulnerability Database (NVD) — the backbone of how most development teams discover, triage, and patch security flaws — shifted to a risk-based prioritisation model. Not every CVE will receive full analysis any more. If your team relies on NVD enrichment data to decide what to patch, your workflow just changed whether you realised it or not.
TL;DR
- NIST’s NVD now uses risk-based prioritisation — only high-impact CVEs get full enrichment and CVSS scoring
- CVE submissions surged 263% between 2020 and 2025, and 2026 is tracking even higher — NIST cannot keep up
- All backlogged CVEs before March 2026 are now categorised as “Not Scheduled” for enrichment
- Development teams relying solely on NVD for vulnerability intelligence need to diversify their sources immediately
- Automated scanning tools that depend on NVD enrichment may miss vulnerabilities — audit your pipeline now
What Actually Changed
NIST has officially acknowledged what security practitioners have suspected for months: the NVD cannot keep pace with the volume of CVE submissions flooding in. Between 2020 and 2025, submissions surged by 263%. The first quarter of 2026 alone is tracking nearly a third higher than the same period last year.
The response? A triage system. Going forward, NIST will fully enrich only CVEs that meet specific criteria:
- CVEs in the CISA Known Exploited Vulnerabilities (KEV) catalogue — these get full analysis within one business day
- CVEs affecting software used by the US federal government
- CVEs for critical software as defined by Executive Order 14028 — software running with elevated privileges, controlling access to data or operational technology, or operating outside normal trust boundaries
Everything else? Categorised as “Not Scheduled.” That includes the entire backlog of CVEs with an NVD publish date before 1 March 2026.
Why This Matters More Than You Think
If you are a development team shipping production software, the NVD has likely been an invisible part of your security infrastructure for years. Tools like Trivy, Snyk, Dependabot, and Grype all pull enrichment data — CVSS scores, affected version ranges, CWE classifications — from the NVD. That enrichment is what turns a raw CVE identifier into something your team can actually act on.
Without enrichment, a CVE is just a number. No severity score. No affected versions. No remediation guidance. Your scanner might flag it, but your team will not know whether it is critical or trivial without doing their own research.
This is not a theoretical problem. It is happening right now. If your dependency tree includes a library with a CVE that does not meet NIST’s new prioritisation criteria, that vulnerability could sit unscored and unenriched indefinitely.
The Practical Impact on Your Pipeline
1. Your scanners may go quiet — and that is dangerous
Many teams have configured their CI/CD pipelines to break builds only when a vulnerability exceeds a certain CVSS threshold. If NIST never assigns a CVSS score to a CVE, it will not trip that threshold. Silence is not the same as safety.
2. Triage gets harder
Security teams that relied on NVD enrichment to prioritise their patch queue now need to do more manual research. For lean teams — and most development teams are lean — this means slower response times and higher risk of critical vulnerabilities slipping through.
3. Compliance audits need updating
If your compliance framework references NVD as a source of truth for vulnerability management (and many do), you may need to document supplementary sources. Auditors will want to see that your coverage has not degraded.
What Your Team Should Do Now
Diversify your vulnerability intelligence
The NVD should no longer be your sole source. Layer in additional feeds:
- CISA KEV catalogue — the gold standard for actively exploited vulnerabilities
- OSV (Open Source Vulnerabilities) — Google’s open-source vulnerability database, excellent for dependency scanning
- GitHub Advisory Database — particularly strong for npm, PyPI, and Go ecosystems
- Vendor security advisories — subscribe to advisories from your critical dependencies directly
Audit your scanning tool configuration
Check how your scanners handle CVEs without CVSS scores. Do they flag them? Ignore them? Most tools have configuration options for this — now is the time to review. Tools like Trivy already support multiple data sources; make sure you have them enabled.
Implement a “no score” policy
Define what your team does when a CVE has no NVD enrichment. A sensible default: treat unscored CVEs in your direct dependencies as medium severity until assessed. Do not let the absence of data become the absence of action.
Invest in Software Bill of Materials (SBOM)
An accurate SBOM lets you cross-reference vulnerability data from multiple sources against your actual dependency tree. If you are not generating SBOMs as part of your build process, this is the push to start. Tools like Syft, CycloneDX, and SPDX make this straightforward.
Stay close to CISA KEV
With NIST prioritising KEV-listed vulnerabilities for one-business-day enrichment, the KEV catalogue is now the most reliable fast-track signal for critical vulnerabilities. Integrate KEV checks into your pipeline if you have not already.
The Bigger Picture
This change reflects a broader reality: the vulnerability landscape is scaling faster than any single institution can manage. AI-generated code is accelerating the discovery (and creation) of vulnerabilities. The explosion of open-source dependencies means every project carries a longer tail of potential exposure. And the rise of AI coding agents — which often pull in dependencies without human review — is compounding the problem.
NIST’s move is pragmatic, not negligent. They enriched nearly 42,000 CVEs in 2025, 45% more than any prior year. But the volume is simply outpacing capacity. The lesson for development teams is clear: centralised vulnerability management was always a convenience, not a guarantee. Now it is time to build resilience into your own processes.
How REPTILEHAUS Can Help
At REPTILEHAUS, we build security into the development process from day one. Our DevSecOps practice helps teams configure robust vulnerability scanning pipelines, integrate multiple intelligence sources, and implement automated triage workflows that do not depend on any single database. If your team needs to adapt to the new NVD reality — or wants a security audit of your current pipeline — get in touch.
📷 Photo by Zulfugar Karimov on Unsplash
