NIST Throttles CVE Enrichment as Vulnerability Submissions Surge 263%

NIST is scaling back the depth of analysis it applies to incoming CVE records, citing a 263% jump in vulnerability submissions that has overwhelmed the National Vulnerability Database’s enrichment pipeline. Enrichment - the step that adds CVSS scores, CWE classifications, and affected-product metadata - is what downstream scanners, asset inventories, and patch-prioritization tools rely on to convert raw CVE IDs into actionable signal.

The cutback means a growing share of CVEs will land in the NVD as stubs: an identifier and a description, without the structured metadata security teams use to triage. Vendors and defenders that depend on NVD feeds for automated risk scoring will need to compensate through alternative sources, internal enrichment, or third-party vulnerability intelligence providers stepping in to fill the gap.

The shift underscores a structural problem in the CVE ecosystem: submission volume is growing faster than the single centralized enrichment authority can absorb, pushing the burden of vulnerability contextualization outward onto consumers of the data.