NIST has formally abandoned its goal of enriching every CVE submitted to the National Vulnerability Database (NVD), shifting to a risk-based model that only enriches vulnerabilities in CISA's Known Exploited Vulnerabilities (KEV) catalog, federal government software, or software designated critical under Executive Order 14028. All other CVEs are labeled 'Not Scheduled.' The change is driven by a 263% surge in CVE submissions between 2020 and 2025, with NIST unable to keep pace despite record output of ~42,000 enriched CVEs in 2025. Critics note that thousands of actively exploited vulnerabilities sit outside KEV and will now go unenriched, stripping them of CVSS scores and CPE data that security tools depend on. NIST is also deferring CVSS scoring to CVE Numbering Authorities (CNAs), despite demonstrated disagreements between NVD and GitHub scores on nearly 1,500 CVEs. Security researchers warn the pipeline is already overloaded and unprepared for the additional strain from AI-driven vulnerability discovery tools like Anthropic's Mythos. The consensus among practitioners is that reliance on a single centralized enrichment source is no longer viable.
Table of contents
CVE Submissions Are Outpacing NIST's Capacity #"Not Scheduled" Means Unusable Data #AI-Driven Discovery Meets a Shrinking NVD #NIST's Annual Automation Pitch Arrives With Another Backlog Reshuffle #Sort: