John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
For years, the NVD was the deal. Every CVE got scored. Security teams built patch workflows around it. Compliance auditors cited it. That assumption is over.
On April 15, NIST announced the NVD is switching to a “Risk-Based Enrichment” model. The math stopped working: CVE submissions increased 263% between 2020 and 2025, and Q1 2026 is running a third higher than Q1 2025. No centralized team can manually analyze that volume anymore.
The new priority order is explicit – CISA’s Known Exploited Vulnerabilities catalog first, federal-critical software second, everything else goes to the back of the line. Thousands of unenriched CVEs from before March 1, 2026 are now classified as “Not Scheduled.” Some of them are from 2024. They could be sitting in your environment right now with no official severity score and no timeline for getting one.
The timing is uncomfortable. The same week NIST made this announcement, SAP disclosed CVE-2026-27681: a SQL injection in SAP Business Planning and Consolidation with a CVSS of 9.9. No authentication required. The attack vector is the ABAP file upload function, and it reaches directly into financial planning data. Executives use BPC to make actual business decisions. Silent manipulation of those figures is a real scenario, not a hypothetical.
That bug will get scored. It’s too high-profile not to. But the next 9.5 that lands in a mid-tier ERP component with no federal relevance and no KEV entry? That might sit unenriched for months. Or indefinitely.
NIST didn’t break the system. The volume did. But “understandable” and “safe” aren’t the same thing. If your vulnerability program still waits for an official CVSS before escalating, that model no longer matches reality.