Why is NIST limiting CVE enrichment?

NIST narrows automatic CVE enrichment after surge

NIST is changing how it handles vulnerability information in the National Vulnerability Database (NVD), limiting automatic enrichment to higher-priority CVEs.

The update comes after a sharp jump in vulnerability submissions—described as a 263% surge in CVE entries—creating a backlog and straining automated processes. NVD’s enrichment workflows add context and metadata to vulnerabilities, which helps downstream users prioritize patching and understand impact. But with submission volume rising rapidly, NIST is effectively reframing the trade-off: it will still process CVEs, yet it will reserve automatic enrichment for those deemed more urgent.

The reason this matters is speed and reliability. When the number of new CVEs overwhelms enrichment capacity, the database can become less helpful for risk-based remediation—especially for organizations that rely on NVD for operational patch triage.

NIST’s adjustment focuses on prioritization, meaning: - Not every newly received CVE will receive the same level of automatic enrichment immediately - The system is expected to spend more effort on vulnerabilities in the known exploited catalog or otherwise treated as higher priority - Developers and security teams may need to watch for differences in how quickly enrichment appears for lower-priority issues

This is part of a broader pattern in vulnerability management: public disclosure rates are rising, so program maintainers increasingly prioritize the most critical items. For enterprises, it reinforces the importance of supplementing NVD with other feeds and internal risk scoring, rather than assuming uniform metadata quality across all CVEs from day one.