The Vulnerability Database Security Teams Depend On Just Hit a Structural Ceiling
Rebecca Banks
May 6, 2026

Frequently Asked Questions
What did NIST actually change about the National Vulnerability Database on April 15, 2026?
NIST announced it is switching the NVD to a risk-based enrichment model. CVEs will still be added to the database, but severity scores, impact assessments, and product mappings will only be assigned to CVEs that meet a defined priority threshold. Everything else enters as an unenriched entry with no CVSS score and no context, indefinitely. NIST reclassified approximately 29,000 backlogged CVEs as "Not Scheduled", and stated it does not expect the volume trend driving this decision to reverse.
How is AI-generated code making the NVD enrichment gap worse?
AI coding assistants introduce open source dependencies at machine speed, without pausing to evaluate whether a package is actively maintained, recently compromised, or already flagged in an advisory database. That acceleration drives CVE submission volume up faster than enrichment programs can execute against. The NVD enrichment gap is what happens when a linear enrichment capacity meets exponential dependency volume. The gap between submitted CVEs and enriched CVEs will widen every quarter as AI adoption increases, and the unenriched entries in that gap have no severity scores to tell your scanner what to do with them.
If my scanner depends on NVD data, what is my actual exposure now?
A growing share of CVEs will surface in your environment with no CVSS score, no impact assessment, and no product mapping. Your team either manually researches those findings to determine risk, or deprioritizes them by default. Neither is defensible if a regulator, a cyber insurance underwriter, or your board asks how you handled a known vulnerability that fell outside NIST's priority threshold. SEC disclosure requirements, the EU Cyber Resilience Act, and cyber insurance underwriters are all moving toward documented, automated due diligence as the standard.
How does ActiveState reduce exposure to the NVD enrichment gap?
Two ways. First, ActiveState's security feed for catalog-governed components operates independently of NIST enrichment status, updated within 24 hours using commercial advisories alongside NVD data. A CVE does not need a CVSS score from NIST to be caught and acted on within your governed catalog. Second, upstream governance reduces the volume of findings your team has to triage regardless of enrichment status. ActiveState customers see up to a 95% reduction in CVEs compared to pulling the same packages from public registries. Fewer vulnerable components in your environment means fewer unenriched CVEs for your team to manually review and remediate.
.png)
.png)
.png)