RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: cve (1 article)Clear
defense
2026-04-17

NIST stops enriching most new CVEs - only KEV-listed and federal-used software will get full NVD data going forward

NIST has announced major changes to how the National Vulnerability Database processes new CVEs, driven by a 263% surge in submissions that the agency can no longer keep up with. As of April 15, 2026, NIST will only provide full enrichment (CVSS scoring, CWE mapping, CPE identification) for CVEs that meet specific criteria: vulnerabilities in the CISA KEV catalog, those in software used by the federal government, and a small set of other priority categories. Everything else remains listed in the NVD but without the detailed metadata that security teams rely on for automated patch prioritization. Dustin Childs at ZDI noted during Patch Tuesday coverage that AI-driven vulnerability discovery has tripled his own triage volume. The same pressure is hitting NIST. Practical impact: vulnerability management tools, automated scanners, and patch prioritization workflows that depend on NVD enrichment data will have blind spots for the majority of new CVEs. Private vulnerability intelligence feeds (VulnCheck, Tenable, Qualys) become more important for anyone who relied on NVD as the single source of truth.

nistnvdcvevulnerability-managementcisa-kevpatch-prioritization
Check
Review how your vulnerability management program depends on NVD data. If your scanner or SIEM pulls CVSS scores and CPE data directly from NVD, many new CVEs will return incomplete results.
Affected
Any organization relying primarily on NVD as a vulnerability intelligence source. Automated patch prioritization tools, SIEM integrations, asset management platforms, and compliance reporting that map CVEs to systems via CPE identifiers will have coverage gaps for non-KEV, non-federal-priority CVEs.
Fix
Layer additional vulnerability intelligence sources on top of NVD. Consider subscribing to VulnCheck KEV (expanded exploitation data), CISA KEV directly (smaller but authoritative), or commercial feeds from Tenable, Qualys, or Rapid7. For patch prioritization, weight exploitation evidence (KEV listing, public PoC, threat intel reports) more heavily than CVSS scores alone - since many new CVEs won't have CVSS scores at all. Review your vulnerability SLAs - 'patch all criticals within N days' policies need rewording if criticality can't be automatically determined from NVD.