The National Institute of Standards and Technology's April 2026 decision to restrict CVE enrichment to only those meeting narrow criteria—primarily KEV catalog entries, federal government software, and systems defined as 'critical' under Executive Order 14028—represents far more than operational triage. It is a public admission that the foundational infrastructure of global vulnerability management has reached a breaking point. While The Hacker News coverage accurately documents the 263% surge in CVE submissions between 2020 and 2025 and NIST's new 'Not Scheduled' designation, it fails to connect this inflection point to the deeper convergence of exponential software complexity, open-source dependency sprawl, and the rapid proliferation of AI-generated code.

This is not merely a resource shortage; it is a structural crisis. The NVD was architected in an era when hundreds of vulnerabilities were disclosed annually, not the current volume exceeding 40,000 new CVEs per year. NIST enriched nearly 42,000 CVEs in 2025 alone—a 45% increase over any prior year—yet still faces a growing backlog. By deprioritizing enrichment for CVEs lacking immediate federal or systemic risk signals, NIST has effectively created a two-tier vulnerability ecosystem: those visible to the most sophisticated defenders and those left in informational limbo.

VulnCheck's analysis reveals the scale of the problem: roughly 10,000 vulnerabilities from 2025 remain without CVSS scores or meaningful enrichment. This aligns with patterns identified in the 2025 Carnegie Mellon University study on large language model code generation, which found that LLM-assisted development introduced vulnerabilities at rates 32-41% higher than traditional coding, particularly in authentication, input validation, and dependency management flaws. The original coverage missed this critical driver. Much of the CVE surge stems directly from AI-augmented development pipelines now embedded in enterprise workflows. Tools that accelerate code production simultaneously accelerate vulnerability production at a scale no human triage team can match.

Cross-referencing with the Government Accountability Office's January 2026 report on federal cybersecurity preparedness further illuminates what mainstream coverage overlooked: NVD delays have already created measurable gaps in federal agencies' ability to map supply chain exposures. The prioritization criteria—while logical from a risk-management perspective—further entrenches the gap between nation-state and commercial defenders. Advanced persistent threats, particularly those operating from Russia and China, have demonstrated repeated success exploiting vulnerabilities that initially appeared low-priority before later proving exploitable in niche but high-value targeting (see CISA KEV catalog growth patterns from 2023-2025).

The policy change also signals the quiet obsolescence of the current CVE/NVD model itself. When NIST states it will no longer routinely provide separate severity scores if a CNA has already scored the vulnerability, and will only reanalyze modifications with 'material impact,' it is acknowledging that manual enrichment at internet scale is no longer feasible. This creates both opportunities and dangers. Commercial vendors like VulnCheck, Rapid7, and Tenable will likely fill the gap with automated analysis platforms, but this fragments authoritative intelligence and raises equity concerns for smaller organizations and critical infrastructure operators outside the federal umbrella.

What emerges is a new reality: vulnerability management must transition from centralized, human-driven enrichment to distributed, machine-augmented systems capable of real-time risk contextualization. The current crisis—fueled by both legitimate software growth and AI-generated code—exposes how the cybersecurity community has reached the limits of 1990s-era infrastructure for tracking 2020s-scale problems. Without fundamental reform, including automated CNA validation, AI-assisted initial triage, and integration with exploit prediction models like EPSS, these blind spots will be exploited by adversaries who have already demonstrated their ability to move faster than bureaucratic systems.

NIST's move, while pragmatic, is a capitulation that should trigger urgent strategic reassessment across defense, intelligence, and critical infrastructure sectors. The age of comprehensive vulnerability visibility is ending. The age of selective, high-stakes visibility has begun.