The US National Institute of Standards and Technology has officially limited its National Vulnerability Database enrichment to critical software and actively exploited bugs due to ongoing budget constraints.

Key Points

• NIST will now only provide enriched metadata for vulnerabilities listed in the CISA KEV catalog, software used by federal agencies, and designated "critical software."
• The agency will stop assigning its own CVSS severity scores, instead adopting the scores provided by the original vulnerability reporting organizations.
• The backlog of unenriched CVE entries grew from approximately 2,100 in early 2024 to nearly 30,000 by the end of the year.
• This policy shift, effective April 15, 2026, acknowledges that the agency can no longer keep pace with the rising volume of vulnerability disclosures.
• Industry experts anticipate the number of reported vulnerabilities will continue to surge as AI-powered cybersecurity agents become more widely adopted.

Why it Matters

This decision marks the end of the National Vulnerability Database serving as a comprehensive, single source of truth for the global cybersecurity industry. Security teams and tool vendors must now diversify their data sources and improve their own internal triage processes to maintain visibility into emerging threats.