Overwhelmed by an escalating quantity of security flaws, the Nationwide Institute of Requirements and Know-how (NIST) has introduced important modifications to the way it handles cybersecurity vulnerabilities and exposures (CVEs).
Moderately than decide to offering enrichment for all entries in its Nationwide Vulnerability Database (NVD), the company will concentrate on simply essentially the most vital CVEs, which is able to “permit us to stabilize this system whereas we develop the automated programs and workflow enhancements required for long-term sustainability.”
Beginning instantly, NIST will concentrate on CVEs showing in CISA’s Identified Exploited Vulnerabilities (KEV) catalog. “Our objective is to complement these inside one enterprise day of receipt,” the company stated.
Different high-priority CVEs will even embody these for software program used within the federal authorities and for different vital software program.
All the opposite CVEs will nonetheless be added to the NVD, however can be categorized as “not scheduled,” which means that NIST will now not prioritize their enrichment.
Damaged by backlog
In accordance with NIST, a backlog of CVEs began to build up in early 2024, and the company has been unable to clear it resulting from rising submissions.
Submissions grew by 263% between 2020 and 2025, in response to the company, with practically one-third extra vulnerabilities reported in Q1 2026 than the identical time final 12 months.
The company, which enriched practically 42,000 CVEs in 2025, 45% greater than any earlier 12 months, now faces a complete backlog of greater than 30,000 CVEs, stated Harold Sales space, a technical and program lead at NIST, at this week’s VulnCon cybersecurity convention.
SOURCE: https://www.cve.org/about/Metrics
CSO
Consequently, NIST will now forego enrichment for all however essentially the most vital of vulnerabilities.
Backlogged CVEs obtained previous to March 1 will even be labeled “not scheduled.” None of these are vital vulnerabilities, NIST stated, as a result of these have all the time been dealt with first.
“They’ve simply come out and publicly acknowledged, ‘We’re by no means going to get by way of this backlog,’“ Dustin Childs, head of risk consciousness at Development Micro’s Zero Day Initiative, instructed CSO.
As well as, NIST will now not calculate severity scores for CVEs submitted with scores supplied by the reporting group.
Safety leaders reliant on NIST enrichment might want to take inventory of their expertise inventories to see whether or not they fall below NIST’s precedence listing, Childs stated. That’s not straightforward.
“Discovery is likely one of the most troublesome issues we’re coping with,” he famous, including that it’s additionally not clear what software program really falls into the precedence class. “Software program utilized by the federal authorities is a really obscure assertion.”
Mounting CVE counts — with AI flaw discovery on the rise
Childs is just not shocked that CVEs numbers have been going up, citing AI as a part of the explanation why.
“We’re already seeing extra rubbish CVEs — and extra actual CVEs — associated to AIs,” he says.
Coping with these CVEs goes to be a large downside for firms. “Individuals nonetheless don’t patch,” he says. “And we’re going to quadruple the variety of patches they’re going to need to deploy. How will we construct our defenses throughout all the enterprise? I don’t know if we’ll get there earlier than the dangerous guys do.”
In accordance with the Discussion board of Incident Response and Safety Groups (FIRST), 59,427 CVEs are anticipated to be submitted this 12 months, up from a bit of over 48,000 in 2025. That makes 2026 the primary 12 months that CVEs will go the 50,000 milestone.
“The sheer velocity of vulnerability discovery and exploitation is not like something we’ve seen earlier than,” FIRST CEO Chris Gibson instructed CSO.
FIRST has additionally modeled “reasonable eventualities” through which the whole variety of CVEs cracks 100,000 for 2026 — however that was in February, earlier than Anthropic introduced Mythos, its vulnerability-finding AI mannequin many foresee as a structural shift for the cybersecurity business.
“And if it’s not Mythos, or no matter else is popping out now, one thing goes to come back out subsequent week,” stated Empirical Safety founder Jay Jacobs, who additionally leads the Exploit Prediction Scoring System particular curiosity group at FIRST.
Nonetheless, Jacobs is optimistic that turning to expertise will assist NIST take care of rising CVE volumes.
“Harold Sales space has a number of expertise and talent working with AI over the previous few years,” Jacobs instructed CSO. “So I’m anticipating him to deliver some experience and I hope we do see some AI information there.”
Each giant language fashions and AI brokers are on the company’s to-do listing, as is old style robotic course of automation (RPA), Sales space stated in his presentation at VulnCon, which Jacobs chairs. NIST additionally plans to delegate a few of the work to CVE Numbering Authorities (CNAs), which incorporates security distributors and researchers.
