NIST will enrich only CVEs listed in CISA KEV, those affecting software used by US federal agencies, and those in critical software categories such as operating systems, browsers, security tools, firewalls, backup systems and VPNs (NIST NVD Policy Update, April 2026; Risky.biz, April 17 2026).

The backlog grew from 2,100 unenriched entries in early 2024 to nearly 30,000 by year-end, driven by annual CVE counts now exceeding 25,000 according to MITRE CVE statistics. Initial coverage detailed the three priority categories and Trump administration DHS/CISA budget cuts but missed explicit linkages to parallel funding pressures on MITRE's CVE program documented in GAO-25-106512 and ENISA's EUVD scaling report (ENISA Vulnerability Database Status, Q1 2026).

NIST will cease issuing its own CVSS scores and instead display those provided by the CVE reporter, a shift previously modeled in NIST IR 8283 (2022). Vulnerability management platforms that packaged NVD output must now source from OSV, EUVD or perform self-enrichment, as noted in Aikido Security analysis (Aikido Security, April 2026). These changes reveal structural limits of the 1999-era NVD system when confronted with exponential growth in open-source libraries and IoT firmware disclosures.