April 2026
The National Vulnerability Database Just Gave Up. Here's What SMEs Should Actually Do.
NIST announced this month that it will only enrich CVE entries meeting specific criteria. The volume of submissions has jumped 263% since 2020, and the National Vulnerability Database, the thing most security tools quietly depend on to tell you which vulnerabilities matter, cannot keep up.
In practice, that means many CVEs will now appear with a number, a date, and almost nothing else. No CVSS vector. No CPE mapping telling you which products are affected. No enriched description explaining what the vulnerability does. Just a record that something exists, somewhere, in something.
If your vulnerability management strategy depends on "filter by CVSS and patch the criticals first," that strategy is already degrading. It will degrade further.
Why This Was Always Going to Break
Casey Ellis framed the wider problem well: offence scales with compute and creativity. Defence scales with committees, procurement cycles, and people in four time zones agreeing on a Jira ticket.
The NVD is a committee. A well-run committee with serious engineers, but still a committee, with a federal budget, a publication process, and human analysts who have to read, categorise, and score every record. Submissions scale with the number of researchers, tools, and AI-assisted vulnerability discovery pipelines in the world. Enrichment scales with the size of the analysis team.
The gap between those two lines has been widening for years. The 263% surge did not cause the problem; it finished it.
What This Actually Means for SMEs
Large enterprises have been quietly routing around NVD for a long time. They buy commercial vulnerability intelligence feeds, staff their own analysts, and maintain private scoring models that reflect their business rather than the CVSS calculator.
SMEs have none of that. When a scanner flags a vulnerability with no enrichment, most SMEs have no realistic way to answer the questions that actually matter:
- Does this apply to software we are running?
- Is there a working exploit in the wild?
- Is it on something exposed to the internet?
- If it were exploited, what would we lose?
Without those answers, the choice collapses to either patch everything (unaffordable and often impossible) or patch nothing (the de facto outcome in many small organisations).
CVSS Was Never the Answer Anyway
Here is the uncomfortable part. The NVD pullback is a loss, but it is a loss of a prioritisation approach that was always weaker than it looked.
CVSS measures technical severity. It does not measure risk to your business. A 9.8 on an isolated test server gets patched before a 6.5 on a public-facing login API, and leadership cannot answer: "Are we reducing real risk?" That is severity theatre.
Real prioritisation comes from a different set of questions:
- Asset criticality: what does this protect? Payment processing is not a marketing microsite.
- Exposure: is it on the public internet, behind a VPN, or inside a private subnet?
- Exploit availability: is there a working exploit, or is this theoretical? CISA's Known Exploited Vulnerabilities catalogue tells you more about real risk than CVSS does.
- Compensating controls: is there a WAF, MFA, network segmentation, or monitoring that makes exploitation harder?
- Business impact: what happens if this is exploited on this specific system?
None of those answers come from the NVD. They come from knowing the business.
What Actually Works Now
If you run or advise an SME, the NVD news is a prompt to do five things, none of which require a larger security team:
Build an asset register that ties systems to business value. You cannot prioritise vulnerabilities if you do not know which systems matter. A simple tagging system (internet-facing, customer data, payment-adjacent, internal) transforms every vulnerability report you will ever read.
Broaden your vulnerability intake. The NVD is no longer the complete picture. The GitHub Security Advisory database, GitLab's Gemnasium database, vendor security advisories, and CISA KEV are all free and all catch things NVD will no longer enrich. Pulling from multiple sources is no longer optional.
Look for exploit availability, not just severity. If a vulnerability is in the CISA KEV catalogue or has public exploit code, it matters today. If it is a CVSS 9.0 with no known exploit, no enrichment, and no working proof-of-concept, it is a lower priority than the 7.0 that someone is actively using.
Stop treating your scanner's output as the prioritised list. A scanner tells you what exists. A prioritised list requires someone to add context, ideally before the report lands on your desk. If your current vendor does not do this, you are doing it yourself whether you realise it or not.
Have a relationship, not a subscription. The useful part of a security engagement is not the scan. It is the person who can tell you that your staging API does not matter this month because there is no customer data on it, but the 6.5 in your payment webhook handler is the one to fix today. That judgement does not come from a CVSS calculator, and the NVD was never going to provide it.
The Real Story
The NVD did not fail. It was asked to do a job that does not scale.
For the past decade, the security industry has been treating a free federal service as the authoritative source of vulnerability context. That was always an odd assumption, and the 263% surge is the point at which it stops being tenable.
The answer is not another federal service. The answer is to prioritise using the information you have: what you run, what you expose, what is being exploited, and what happens if the thing you lose is the thing your customers trust you with.
That is work. It is less automatable than "sort by CVSS." It is also the thing that actually reduces risk.
ThreatControl focuses on contextual risk for SMEs. Our Security Suite finds vulnerabilities and contextualises them against your business rather than against a raw CVSS score. Our Fractional CTO service is the relationship that turns vulnerability data into defensible decisions. Get in touch.