On April 15, 2026, NIST announced it can no longer enrich all CVEs going forward. For security teams, this is a cumulative moment.
The National Vulnerability Database has been the authoritative backbone of vulnerability management for decades. Scanners read it. Prioritization models depend on it. Compliance programs cite it. And on April 15, NIST acknowledged formally that the volume of CVEs being submitted has outpaced its ability to enrich them with the severity scores, impact assessments, and product mappings that make the data actionable.
This is not a temporary backlog. CVE submissions grew 263% between 2020 and 2025. NIST enriched approximately 42,000 CVEs last year, 45% more than any prior year, and still noted on April 15 that “this increased productivity is not enough to keep up with growing submissions”. Approximately 29,000 backlogged CVEs have been reclassified as “Not Scheduled,” and NIST stated directly that it does not expect the volume trend driving this decision to reverse.
The database your security program is built on just changed, permanently, and the force accelerating that change is the same one reshaping every other part of your SDLC.
AI Didn’t Create This Problem. It Made It Unsurvivable.
CVE volume was already growing before AI coding assistants became standard tooling. What AI has done is collapse the timeline between dependency introduction and production deployment, and do it at a scale no security team can manually review.
AI agents do not sleep, and do not stop to evaluate whether the package they just pulled from a public registry is actively maintained or quietly compromised. Agents therefore create exponentially more source code, generating more binaries at a pace that has no natural ceiling.
The NVD enrichment gap is what happens when the enumeration model meets that reality. Submission volume grows exponentially. Enrichment capacity grows linearly. The gap widens every quarter, and the unenriched CVEs sitting in that gap have no CVSS scores, no severity context, and no product mappings to tell your scanner what to do with them.
The Scanner Can’t Solve What the Scanner Helped Create
Here is the uncomfortable position this puts security leaders in.
Most obviously, your scanner may depend on NVD enrichment to score findings today. That means a growing share of CVEs will surface in your environment with no severity context, which means your team either manually researches them to determine risk, or deprioritizes them by default. Neither is defensible when a regulator, a cyber insurance underwriter, or your board asks how you handled a known vulnerability that fell outside NIST’s priority threshold.
Second, the detection and enumeration model was designed for a threat environment where CVE volume was manageable and human review cycles could keep pace. In an AI-accelerated SDLC, development velocity has outrun any enrichment program’s capacity to keep up. That means knowing your CVE count is no longer a scalable risk management strategy without automated remediation behind it.
The structural fix is therefore not a better scanner. It’s reducing the volume of findings that reach your environment in the first place.
What a Post-Breach Board Conversation Looks Like Now
Picture the conversation after a security incident where an unenriched CVE in a transitive dependency turned out to be the entry point.
“What oversight did you have over the open source dependencies in production?”
“We were scanning for vulnerabilities using NVD-based severity scoring.”
“This CVE had no NVD severity score. How did you assess it?”
That is the question the NIST announcement makes inevitable for teams still operating on a scan and pray model. The 2026 regulatory environment has shifted personal liability onto security leaders in ways that did not exist 3 years ago. SEC disclosure requirements, the EU Cyber Resilience Act, and cyber insurance underwriters are all asking for documented, automated due diligence, not a description of a scanning process.
The Answer Is Upstream
ActiveState’s security feed for catalog-governed open source components operates independently of NIST enrichment status, updated within 24 hours using commercial advisories alongside NVD data. The gap NIST formally acknowledged on April 15 is one we already account for.
More importantly, upstream governance reduces the volume of findings your team has to triage regardless of enrichment status. For catalog-governed components, ActiveState customers see up to a 95% reduction in CVEs compared to pulling the same packages from public registries. Fewer vulnerable components in your environment means fewer unenriched CVEs sitting in a gap your scanner cannot score and your team does not have capacity to manually review.
The NIST announcement is not a database problem with a database fix. It is confirmation that the detection model has hit its ceiling, and the only direction left is upstream.
The ActiveState Library gives your team 79 million built-from-source, continuously remediated open source components across 12 major language ecosystems, governed by contractual remediation SLAs and independent of NVD enrichment status. Your scanner has less to find. Your team has less to action. And when your board asks how you handled a CVE that never made NIST’s priority threshold, you have an answer.
Frequently Asked Questions
NIST announced it is switching the NVD to a risk-based enrichment model. CVEs will still be added to the database, but severity scores, impact assessments, and product mappings will only be assigned to CVEs that meet a defined priority threshold. Everything else enters as an unenriched entry with no CVSS score and no context, indefinitely. NIST reclassified approximately 29,000 backlogged CVEs as "Not Scheduled", and stated it does not expect the volume trend driving this decision to reverse.
AI coding assistants introduce open source dependencies at machine speed, without pausing to evaluate whether a package is actively maintained, recently compromised, or already flagged in an advisory database. That acceleration drives CVE submission volume up faster than enrichment programs can execute against. The NVD enrichment gap is what happens when a linear enrichment capacity meets exponential dependency volume. The gap between submitted CVEs and enriched CVEs will widen every quarter as AI adoption increases, and the unenriched entries in that gap have no severity scores to tell your scanner what to do with them.
A growing share of CVEs will surface in your environment with no CVSS score, no impact assessment, and no product mapping. Your team either manually researches those findings to determine risk, or deprioritizes them by default. Neither is defensible if a regulator, a cyber insurance underwriter, or your board asks how you handled a known vulnerability that fell outside NIST's priority threshold. SEC disclosure requirements, the EU Cyber Resilience Act, and cyber insurance underwriters are all moving toward documented, automated due diligence as the standard.
Two ways. First, ActiveState's security feed for catalog-governed components operates independently of NIST enrichment status, updated within 24 hours using commercial advisories alongside NVD data. A CVE does not need a CVSS score from NIST to be caught and acted on within your governed catalog. Second, upstream governance reduces the volume of findings your team has to triage regardless of enrichment status. ActiveState customers see up to a 95% reduction in CVEs compared to pulling the same packages from public registries. Fewer vulnerable components in your environment means fewer unenriched CVEs for your team to manually review and remediate.
