Overwhelmed by a rapidly escalating volume of security flaws in the digital realm, the National Institute of Standards and Technology (NIST) has recently unveiled a strategic pivot in how it manages cybersecurity vulnerabilities and exposures, commonly referred to as Common Vulnerabilities and Exposures (CVEs). In a significant move, NIST has announced that it will no longer commit to enriching all entries in its National Vulnerability Database (NVD). Instead, the agency intends to concentrate its efforts solely on the most critical CVEs. This approach is designed to stabilize the program while also allowing for the development of automated systems and workflow enhancements necessary for long-term sustainability.
Starting immediately, NIST’s primary focus will be on CVEs that are included in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This catalog serves as a vital resource for identifying vulnerabilities that are actively being exploited in the wild. The agency has made it clear that its goal is to enrich these entries within one business day of receipt, thereby ensuring that stakeholders have access to up-to-date information on vulnerabilities that pose immediate risks.
In addition to the KEV catalog, NIST plans to prioritize high-priority CVEs associated with software utilized within federal government systems and other critical software applications. This marks a notable shift in NIST’s operational strategy, as they will now categorize all other CVEs as “not scheduled” for enrichment. This means that, while these vulnerabilities will still be listed in the NVD, they will no longer be subjected to the same level of urgency and detail that accompanies critical entries.
The rationale behind this shift can be traced back to a growing backlog of CVEs that has plagued the agency. According to NIST, this backlog began accumulating in early 2024 and has hindered the agency’s ability to address the increasing number of submissions. In fact, submissions to the NVD have surged by an astonishing 263% between 2020 and 2025. As of the first quarter of 2026, nearly one-third more vulnerabilities were reported than during the same period the previous year, underscoring the mounting pressure NIST faces.
In 2025, NIST enriched close to 42,000 CVEs—45% more than any previous year—but now finds itself grappling with a backlog exceeding 30,000 CVEs. This startling statistic was highlighted by Harold Booth, a technical and program lead at NIST, during a recent presentation at the VulnCon cybersecurity conference. As NIST gears up to navigate this burgeoning landscape of cybersecurity threats, it has made it clear that it will prioritize the most critical vulnerabilities moving forward.
Backlogged CVEs submitted prior to March 1, 2026, will also be marked as “not scheduled” for enrichment. NIST has indicated that these entries do not include critical vulnerabilities, as those have always been dealt with as a priority. As Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, stated, “They’ve just come out and publicly stated, ‘We are never going to get through this backlog.’”
Compounding the situation, NIST has decided to stop calculating severity scores for CVEs that come with scores already provided by the organizations reporting these vulnerabilities. Given this new landscape, security leaders who depend on NIST for insights will need to reassess their technology inventories to see if their software falls under NIST’s newly defined priority list—a task complicated by the vague nature of what constitutes “software used by the federal government.”
Adding another layer to the complexities of CVE management is the increasing role that artificial intelligence (AI) is playing in both the discovery of vulnerabilities and the rise of the overall number of reported CVEs. Childs noted that the industry is already witnessing a spike in both “garbage CVEs”—those that may be poorly reported or lack significance—and legitimate vulnerabilities linked to AI technologies. This raises the stakes for organizations, as they must prepare to deploy a greater number of patches and avoid falling prey to emerging threats.
According to the Forum of Incident Response and Security Teams (FIRST), it is anticipated that 59,427 CVEs will be submitted this year, a significant leap from just over 48,000 in 2025. Should this trend continue, 2026 could mark the first year that submissions exceed 50,000, with some projections suggesting that the total number of CVEs could even surpass 100,000.
Chris Gibson, CEO of FIRST, commented on the unprecedented pace of vulnerability discovery and exploitation, indicating that the cyber landscape is evolving at an astonishing rate. Optimism remains, however, as industry experts like Jay Jacobs of Empirical Security noted that technological innovations, including AI and automation, may provide NIST with the tools necessary to effectively manage and respond to the surge in CVE volumes. This includes deploying both large language models and traditional robotic process automation, which could help streamline the workflow and lessen the burden on cybersecurity professionals.
As NIST positions itself to tackle these challenges, the agency plans to delegate part of the workload to CVE Numbering Authorities (CNAs), including various security vendors and researchers. By adopting this multi-faceted approach, NIST aims to enhance its efficiency and effectiveness in a rapidly evolving cybersecurity landscape, ensuring that critical vulnerabilities are addressed swiftly while also managing an overwhelming number of submissions.