The National Institute of Standards and Technology is changing how it analyzes newly disclosed vulnerabilities as it faces a massive backlog of digital flaws.
Due to “a surge in [cybersecurity vulnerabilities and exposures] submissions,” NIST said on Wednesday, the agency will only perform detailed analyses of CVEs that meet certain criteria, including publication in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog, presence in software used in the federal government or presence in “critical software” (as defined in a Biden administration executive order).
NIST will continue to list all disclosed vulnerabilities in its National Vulnerability Database (NVD), but flaws that do not meet any of those criteria will not receive “enrichment,” the agency’s term for detailed analysis.
NIST will also stop providing its own vulnerability severity scores for CVEs that already received scores from their submitting organizations. In addition, NIST will only reevaluate CVEs that are modified after enrichment if it determines that the new information “materially impacts” its original analysis.
The rise of AI-powered vulnerability-detection tools has created a tidal wave of newly disclosed flaws that has overwhelmed digital defenders and maintainers of vulnerability catalogs. In recent years, NIST has struggled to keep up with the volume, creating a large backlog that led the agency to begin rethinking its approach.
The new triage system “will allow us to focus on CVEs with the greatest potential for widespread impact,” NIST said on Wednesday. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”
NIST said it enriched “nearly 42,000 CVEs” in 2025, but with disclosure rates skyrocketing — the number of newly reported flaws increased 263% between 2020 and 2025, according to the agency — the agency’s original enrichment plan was no longer sustainable.
In addition to allowing NIST to focus on the most serious vulnerabilities, the new system will allow the agency to “stabilize the [NVD] program while we develop the automated systems and workflow enhancements required for long-term sustainability,” according to the statement.
NIST also said it would stop working on the existing CVE backlog for now. “We will consider enriching those earlier vulnerabilities, applying the new prioritization criteria above, as resources allow,” the agency said.
