National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges

The National Vulnerability Database (NVD), managed by NIST, is transitioning to a selective enrichment model due to unsustainable CVE volume growth. Previously providing consistent context for all entries, NVD will now prioritize enrichment for vulnerabilities in the CISA KEV catalog, federal software, and critical designations. This structural shift leaves many CVEs without severity scoring or product data, complicating risk prioritization for security teams. With CVE submissions increasing 263% between 2020 and 2025, reliance on public enrichment creates operational gaps. Organizations must adopt broader vulnerability intelligence sources to maintain visibility across open-source dependencies, cloud infrastructure, and third-party integrations. Failure to supplement NVD data may result in increased exposure to actively exploited vulnerabilities lacking public context. Security programs should adjust workflows to account for reduced data quality and integrate alternative intelligence feeds for effective remediation.

Under a new model announced by the National Institute of Standards and Technology, NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical. The post National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges appeared first on Flashpoint .

The National Vulnerability Database (NVD), managed by NIST, is transitioning to a selective enrichment model due to unsustainable CVE volume growth. Previously providing consistent context for all entries, NVD will now prioritize enrichment for vulnerabilities in the CISA KEV catalog, federal software, and critical designations. This structural shift leaves many CVEs without severity scoring or product data, complicating risk prioritization for security teams. With CVE submissions increasing 263% between 2020 and 2025, reliance on public enrichment creates operational gaps. Organizations must adopt broader vulnerability intelligence sources to maintain visibility across open-source dependencies, cloud infrastructure, and third-party integrations. Failure to supplement NVD data may result in increased exposure to actively exploited vulnerabilities lacking public context. Security programs should adjust workflows to account for reduced data quality and integrate alternative intelligence feeds for effective remediation. Under a new model announced by the National Institute of Standards and Technology, NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical. The post National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges appeared first on Flashpoint . Blogs Blog National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges In this post, we examine what NVD’s shift to selective enrichment means for vulnerability workflows and how security teams can maintain visibility and prioritization at scale. SHARE THIS: Flashpoint April 17, 2026 Table Of Contents Table of Contents What Changed in NVD’s Operating Model The Impact on Vulnerability Workflows Prioritization Criteria Will Not Capture the Full Risk Landscape Vulnerability Intelligence Requires Broader Coverage and Deeper Context Vulnerability Intelligence Requires Broader Coverage and Deeper Context A Structural Shift in Vulnerability Data More subscribe to our newsletter The National Vulnerability Database (NVD) is changing how it processes and enriches vulnerability data in response to sustained growth in CVE submissions. Under a new model announced by the National Institute of Standards and Technology , NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical. All other CVEs will remain in the database without additional context unless specifically requested. Rising disclosure volumes are placing pressure on public vulnerability infrastructure, and it has direct implications for how security teams consume and act on vulnerability data. What Changed in NVD’s Operating Model For years, NVD aimed to provide consistent enrichment across all CVEs, including severity scoring, affected product data, and supporting context for prioritization. That approach has not been sustainable since late 2023. In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, 14,593 of which had publicly available exploits (and 1,944 more with proof-of-concepts). CVE submissions increased by 263% between 2020 and 2025, with 2026 already tracking higher year-over-year. Even with increased throughput, NVD has not been able to keep pace. Under the updated model: CVEs meeting prioritization criteria will be enriched on an accelerated timeline CVEs outside those criteria will be labeled and left without enrichment Re-analysis of modified CVEs will occur selectively Separate NVD severity scoring will no longer be applied by default This introduces a significant structural change in how vulnerability data is published and maintained. The Impact on Vulnerability Workflows Many security programs rely on NVD enrichment to operationalize CVE data. That enrichment provides the context needed to evaluate risk and determine remediation priorities. With enrichment applied selectively, teams will encounter a growing number of CVEs that include: Limited or no severity scoring Incomplete product and version data Minimal context on exploitability or impact No CPE strings that allow for programmatic consumption of data At the same time, disclosure volume continues to rise, and exploitation timelines remain compressed. This creates a gap between what is disclosed and what can be acted on efficiently. Security teams will need to account for: Larger backlogs of CVEs without actionable context Increased manual effort to evaluate relevance and risk Greater variability in data quality across sources These changes affect vulnerability management, threat intelligence, and security operations workflows simultaneously. Prioritization Criteria Will Not Capture the Full Risk Landscape NVD’s updated model focuses enrichment...