On 15 April 2026, NIST made a change that every security leader should pay attention to. The National Vulnerability Database is no longer trying to enrich every CVE immediately. Instead, NIST is moving to a prioritised enrichment model: CVEs will still be added to the NVD, but NIST will focus its analysis first on vulnerabilities that are already known to be exploited, affect software used by the federal government, or impact critical software.
NIST said CVE submissions rose by 263% between 2020 and 2025, that the first quarter of 2026 was already nearly one-third higher than the same period a year earlier, and that even after enriching nearly 42,000 CVEs in 2025, it still could not keep pace.
Almost exactly one year earlier, the cybersecurity community faced a different reminder of how fragile shared vulnerability infrastructure can be, when MITRE’s contract to operate the CVE Program was set to expire before CISA extended funding at the last minute. The issue was resolved, but it exposed a broader dependency: modern vulnerability management relies heavily on public systems that are now under growing pressure from funding uncertainty, operational complexity, and record vulnerability volume.
That does not mean vulnerabilities matter less. It means the opposite. The public vulnerability ecosystem is becoming harder to process, harder to prioritise, and harder to operationalise at scale. For defenders, that raises an urgent question: if the firehose keeps growing, how do you separate noise from real exposure?
What a CVE actually is
A CVE is a standard identifier for a publicly disclosed cybersecurity vulnerability. MITRE’s CVE programme exists so vendors, researchers, and security teams can refer to the same flaw consistently. Each CVE record is essentially a common reference point: an ID, a short description, and supporting references. NVD is different. It is the NIST-run database that builds on the CVE List with additional vulnerability-management context such as severity information, product mappings, and impact data.
That distinction matters because many security workflows still treat “CVE”, “NVD”, and “CVSS” as if they were interchangeable. They are not. CVE names the issue. NVD enriches the issue. CVSS helps score the issue. Once you understand that, the significance of NIST’s 2026 change becomes much clearer.
What changed at NIST
NIST has not stopped ingesting CVEs. It has changed how it allocates enrichment effort. From April 2026 onward, NVD will prioritise CVEs that appear in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, CVEs affecting software used in the federal government, and CVEs affecting “critical software” under Executive Order 14028. Other CVEs will still appear in NVD, but they may not be enriched immediately and can be marked as “Not Scheduled”. NIST also said it will no longer routinely generate a separate NVD severity score when the CVE submitter has already provided one.
This is not a cosmetic update. NVD’s status model now publicly reflects the pressure. In mid-May 2026, the NVD dashboard showed roughly 350,783 CVE vulnerabilities overall, while search results for the dashboard showed more than 47,000 records already in “Not Scheduled” and more than 1,400 in “Awaiting Enrichment”. The public system is still operating, but it is clearly triaging.
Why that matters to defenders
For years, many teams treated NVD enrichment as the point where a vulnerability became operationally actionable. That assumption is now weaker. “Not Scheduled” does not mean “safe” or “irrelevant”; NIST says lower-priority CVEs can still have significant impact on affected systems, even if they do not meet the criteria for immediate enrichment. At the same time, CISA continues to urge organisations to monitor the KEV Catalog and prioritise remediation of vulnerabilities already known to be exploited in the wild.
The practical implication is simple: public vulnerability data is still essential, but it is no longer enough on its own. Security teams need a stronger internal way to answer the questions that matter most. Is this vulnerability present in our environment? Is it reachable? Can it be chained with something else? How much damage could an attacker actually do? Which issues need engineering time first? Those are validation questions, not just disclosure questions.
Another important signal is whether a vulnerability is already being exploited in the wild. CVSS remains a critical baseline for severity, but exploitability indicators help security teams understand which vulnerabilities are not just theoretically serious, but actively relevant to attacker behaviour.
WASP highlights exploitability indicators directly in the vulnerability view, helping teams prioritise issues with real-world attack relevance.
In WASP, OP Innovate’s flaghsip penetration testing platform, vulnerabilities with known exploitation activity are clearly flagged in the CVE column, helping teams identify when an issue is not only present, but also relevant to active attacker behaviour. This adds an important layer of real-world context.
Why regular penetration testing matters more now
NIST’s own testing guidance makes the distinction well. Vulnerability scanning helps identify outdated software, missing patches, and misconfigurations by comparing hosts and services with known-vulnerability databases. Penetration testing goes further: it mimics real-world attacks, validates whether weaknesses can actually be exploited, and can show how separate issues combine into a workable attack path. NIST also says no single technique can provide a complete picture of security and recommends using a combination of techniques.
That matters because the exposure window is not standing still. NIST says patching significantly reduces opportunities for exploitation and remains one of the most effective mitigations for software-flaw vulnerabilities. But the broader threat data shows that attackers continue to lean on vulnerability exploitation as an access path. Verizon’s 2025 DBIR reported a 34% global surge in vulnerability exploitation as an initial access vector, and its report snippet highlighted how strongly edge devices and VPNs featured in that pattern.
That is why regular penetration testing should be treated as an operating rhythm, not a once-a-year checkbox. In a world of record CVE growth, scanning tells you what is known; penetration testing helps you understand what is dangerous in your environment right now. It reduces false confidence, sharpens prioritisation, and gives engineering teams evidence they can act on.
From vulnerability intake to exposure management
The real lesson from NIST’s update is not that the CVE ecosystem is failing. It is that the value of security now depends more heavily on context. Public vulnerability intelligence remains the foundation, but organisations need ongoing awareness of assets, threats, and vulnerabilities, combined with faster local validation. That is closely aligned with NIST’s broader view of continuous monitoring as maintaining awareness of vulnerabilities and threats in support of risk decisions.
This is where platforms such as OP Innovate’s WASP shine. WASP combines attack surface management with expert-led continuous penetration testing, vulnerability triage, remediation support, and reporting. Instead of treating vulnerability data as a static backlog, WASP helps teams understand which findings matter in their specific environment and what should happen next.
In practical terms, that means moving from passive vulnerability intake to active exposure management: discovering what is exposed, validating what is exploitable, prioritising findings using technical severity, exposure context, and real-world indicators, and pushing the right fixes into the development and remediation workflow faster.
Public vulnerability data is not becoming less important. It is becoming less sufficient on its own. In a world of CVE overload, the organisations that win will not be the ones that ingest the most alerts. They will be the ones that can discover their true exposure, validate risk quickly, and remediate the right issues before attackers turn public disclosures into real breaches. That is why regular penetration testing matters more now than ever.
To begin your journey toward active exposure management, contact OP Innovate to learn how WASP can help your team continuously discover, validate, prioritise, and remediate the vulnerabilities that matter most through a single, expert-led platform.
