Signal Scanner

The Vulnerability Triage Era: How NVD's Retreat and the EU's CVE Repatriation Are Unbundling the Global Disclosure Pipeline

Beneath the AI-cyber arms-race narrative, NIST's 15 April 2026 retreat to risk-based NVD triage, ENISA's elevation to CVE Root, and AI-scale vulnerability discovery are simultaneously fragmenting the single global pipeline on which enterprise scanners, FedRAMP, SOC 2 and cyber insurance depend.

The consensus cybersecurity narrative for 2026 is the AI arms race: frontier models autonomously finding and exploiting vulnerabilities, defenders scrambling to match the tempo, policy chasing the capability curve. Beneath that headline, a quieter structural shift is under way. The plumbing the vulnerability ecosystem rests on — the National Vulnerability Database, the CVE programme, the CVSS scoring layer — is unbundling. The US has retreated from universal enrichment; the EU has stood up a parallel CVE Root and regional database; private CNAs and commercial vendors fill the rest. The board question is no longer "are we tracking CVEs?" but "whose CVE pipeline anchors our compliance, scanner and cyber-insurance underwriting from 2027 onward?"

Signal Identification

A structural reset of the global vulnerability disclosure pipeline. The signal is the simultaneous retreat of NIST from universal enrichment, the rise of ENISA and the EUVD as a parallel authority, and AI-driven CVE volume that breaks the single-source model — a regulatory and infrastructure pivot, not a capability disruption.

Time horizon: 2-4 years (scanner and FedRAMP exposure 2026-2027; CRA SRP and EUVD binding from Sep 2026; plurality consolidates 2027-2028) Plausibility band: High Geographic / Jurisdictional Scope: Primary: US (NIST, CISA, FedRAMP), EU-27 (ENISA, NIS2, CRA). Spillover: UK, Japan, Australia, Singapore. Sectors exposed: Cyber insurance; managed security services; SCA vendors; FedRAMP cloud; healthcare and local-government IT; open-source maintainers; AI infrastructure; CISO governance.

What's Changing

On 15 April 2026 NIST moved the NVD to risk-based triage. Only CVEs in CISA's Known Exploited Vulnerabilities catalogue, federal-government software, and EO-14028 critical software now receive full enrichment with CPE, CVSS and CWE metadata; everything else is "Not Scheduled" unless a user emails NIST (NIST, 15/04/2026). CVE submissions rose 263% between 2020 and 2025; Q1 2026 ran a third above the prior year; even at a record ~42,000 enriched in 2025, NIST's 21 NVD analysts could not keep pace. Roughly 29,000 backlogged CVEs were reclassified "Not Scheduled" in one move — an estimated 15-20% of 2026 volume will receive full enrichment (Cloud Security Alliance, 19/04/2026).

The volume pressure is structural. (FIRST, 11/02/2026) forecasts a median 59,427 CVEs in 2026, first year above 50,000, with upside of 70,000-100,000 and upper bounds near 193,000 by 2028. (Resilient Cyber, 22/04/2026) places this against a 14x jump in GitHub commits driven by AI agents, vulnerability-report intake up 224% in 90 days, and FIRST CEO Chris Gibson's prediction Anthropic and OpenAI become CNAs by year-end.

The AI capability is empirically observed. (Anthropic, 07/04/2026) reports Claude Mythos Preview autonomously found thousands of zero-days across every major OS and browser, including a 27-year-old OpenBSD remote-crash flaw and a 16-year-old FFmpeg bug five million automated tests missed; Project Glasswing connects AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA and Palo Alto Networks under a $100M commitment. (WEF, 20/04/2026) finds 87% of cyber leaders flag AI-related vulnerabilities as the fastest-growing risk; weekly patch cycles fail when discovery-to-exploit compresses to hours.

The triple squeeze on the NVD enrichment pipeline

Inputs vs capacity: the 2020-2028 NVD trajectory CVE 2020 ~18,000 CVE 2025 ~48,000 CVE 2026 (med) ~59,000 CVE 2028 (upper) ~193,000 NVD enriched 2025 ~42,000 NVD priority 2026 15-20% of vol.

Sources: NIST 15/04/2026; FIRST 11/02/2026; Cloud Security Alliance 19/04/2026.

Disruption Pathway

Stage one (mid-2026 to Q1 2027): the enrichment gap surfaces in scanner output and audit. NVD-CPE-dependent platforms produce more false negatives; SOC 2, ISO 27001 and DORA auditors ask how severity was derived without NIST CVSS; FedRAMP cloud providers open formal deviation requests. Stage two (mid-2027 onward): commercial enrichment becomes the default. VulnCheck, GitHub Security Advisories, EPSS, the EUVD and reachability-based SCA partition the pipeline; cyber-insurance language drops "NVD CVSS" for KEV-plus-EPSS-plus-reachability. Stage three (2028): the pipeline stabilises as federated plurality — NIST runs federal triage, ENISA runs EU coordination, JPCERT/CC runs Japan, commercial CNAs and threat-intelligence vendors run the rest.

Stresses concentrate at three points. Compliance frameworks — FedRAMP, SOC 2, ISO 27001, DORA, HIPAA — reference NVD CVSS and cannot recalibrate overnight (Cloud Security Alliance, 19/04/2026). Under-resourced operators — smaller businesses, local governments, hospitals, schools, rural utilities — cannot afford commercial threat-intelligence, producing what (Just Security, 27/04/2026) calls a "two-tier vulnerability system." The AI software stack (PyTorch, ONNX, LangChain) sits outside EO 14028, so vulnerabilities in the layer driving the discovery boom are least likely to be enriched. Operationally, organisations rebuild around KEV-plus-EPSS-plus-reachability; institutionally, the (ENISA CVE Root elevation, 20/11/2025), with mandatory CRA notification from September 2026, makes Europe the second pole.

Why This Matters

For CISOs and boards, policy treating NVD as the single authoritative source is no longer fit; organisations should specify alternative sources, CNA-CVSS quality assurance and escalation path for unenriched CVEs, or fail audits not yet caught up. For cyber-insurance underwriters, NVD-anchored coverage triggers need rewriting; "are critical NVD CVSS findings remediated within 30 days?" asks a question the data no longer answers. FedRAMP cloud providers need PMO guidance before late-2026 ATO renewals. For EU-facing ICT manufacturers, CRA SRP notification becomes binding 11 September 2026 with the EUVD alongside the CVE programme.

Decision-action posture for this signal: Prepare — the shift is operational and the inflection lands inside FY2026, but a 12-18 month window remains to rewrite policy, scanner contracts and compliance documentation before the gap surfaces in audit.

Counter-Argument

The strongest objection is that NIST's retreat formalises an overdue truth: CVSS-centric vulnerability management was always the wrong frame, the market has moved to KEV-plus-EPSS-plus-reachability, and well-run teams will barely notice. (Resilient Cyber, 22/04/2026) notes CISA's KEV was already the de facto prioritisation signal, VulnCheck, Tenable, Qualys and Rapid7 maintain independent pipelines, and reachability-based SCA rendered CVSS noise tolerable. NIST formalises a transition already 80% complete.

This understates the systemic consequence for the long tail. Compliance frameworks, cyber-insurance policies, government procurement and managed-security contracts still reference NVD as evidentiary foundation; (Just Security, 27/04/2026) makes the operative point that rural hospitals, school districts and small municipalities cannot replace public enrichment with commercial subscriptions. The pipeline unbundles unevenly — well-resourced enterprises adapt inside a year, the public baseline degrades for everyone else, institutional repair takes three to five years.

Implications

The signal catalyses durable change in vulnerability disclosure as digital public infrastructure. The (ENISA CVE Root elevation, 20/11/2025) is canonical: Europe will not return to single-authority dependence and the same logic pulls Japan, Australia and the UK toward parallel arrangements. Commercial enrichment vendors, threat-intelligence providers and AI-lab CNAs gain a larger addressable market; pure NVD-dependent scanners lose ground; cyber-insurance underwriting must reconstitute its evidentiary base. The public-private boundary shifts toward private provision at the centre with a thinner public baseline, stabilising as federated plurality.

Early Indicators to Monitor

Disconfirming Signals

Strategic Questions

Keywords

National Vulnerability Database; NVD enrichment triage; CVE programme; CISA KEV; EPSS; ENISA; European Vulnerability Database; EUVD; NIS2; Cyber Resilience Act; Project Glasswing; Claude Mythos; AI vulnerability discovery; FedRAMP; reachability analysis; CVSS

Bibliography

Source tiers: Tier 1, governments, regulators and intergovernmental bodies. Tier 2, think-tanks, academic institutes, major consultancies and quality data providers. Tier 3, quality journalism and specialist trade press. Tier 4, vendor, company and practitioner sources, used only as directional corroboration.


Prepared by Shaping Tomorrow: 19 May 2026