NIST will no longer enrich most CVEs. Here's what changes, what breaks, and what comes next.

Aikido Security

NIST has officially announced it can no longer keep up with CVE submission volumes, shifting to a risk-based approach that prioritizes only government-critical software and KEV-listed vulnerabilities. Most CVEs will be added to NVD without enrichment or independent scoring, and the existing backlog will be deprioritized indefinitely. This leaves security teams relying on NVD with incomplete coverage and potential false negatives. The post argues CVEs were never the full picture anyway — 67% of vulnerabilities discovered by Aikido Intel were never publicly disclosed to any database. With the EU building its own EUVD alternative and MITRE facing funding issues, no single vulnerability database can serve as a complete source of truth. The recommended response is to use multiple data sources and tools that don't depend solely on NVD enrichment.

NIST NVD changes 2026: what security teams need to know

NIST should probably implement a “human only” submission policy.
If people want to use AI to assist vulnerability discovery, that’s fine. But people asking their LLM of choice “find a vulnerability in X, make no mistakes” and not verifying the results is the issue here.
Like I keep seeing “LLM FOUND A SEVERITY 10 ISSUE IN X” style posts, only to waste my time reading it just to find out it’s actually a feature.
Atp I’m waiting for “MYTHOS FOUND THAT TERMINALS CAN EXECUTE ANY COMMANDS TYPED INTO THEM 😱”, and watching tech bros lose their collective minds.