Overwhelmed by an escalating quantity of safety flaws, the Nationwide Institute of Requirements and Know-how (NIST) has introduced vital modifications to the way it handles cybersecurity vulnerabilities and exposures (CVEs).
Reasonably than decide to offering enrichment for all entries in its Nationwide Vulnerability Database (NVD), the company will give attention to simply probably the most important CVEs, which can “allow us to stabilize the program while we develop the automated systems and workflow enhancements required for long-term sustainability.”
Beginning instantly, NIST will give attention to CVEs showing in CISA’s Recognized Exploited Vulnerabilities (KEV) catalog. “Our goal is to enrich these within one business day of receipt,” the company mentioned.
Different high-priority CVEs may even embody these for software program used within the federal authorities and for different important software program.
All the opposite CVEs will nonetheless be added to the NVD, however can be categorized as “not scheduled,” that means that NIST will not prioritize their enrichment.
Damaged by backlog
In accordance with NIST, a backlog of CVEs began to build up in early 2024, and the company has been unable to clear it attributable to growing submissions.
Submissions grew by 263% between 2020 and 2025, in accordance with the company, with practically one-third extra vulnerabilities reported in Q1 2026 than the identical time final yr.
The company, which enriched practically 42,000 CVEs in 2025, 45% greater than any earlier yr, now faces a complete backlog of greater than 30,000 CVEs, mentioned Harold Sales space, a technical and program lead at NIST, at this week’s VulnCon cybersecurity convention.
SOURCE:
CSO
Consequently, NIST will now forego enrichment for all however probably the most important of vulnerabilities.
Backlogged CVEs obtained previous to March 1 may even be labeled “not scheduled.” None of these are important vulnerabilities, NIST mentioned, as a result of these have all the time been dealt with first.
“They’ve simply come out and publicly said, ‘We are never going to get through this backlog,’“ Dustin Childs, head of risk consciousness at Development Micro’s Zero Day Initiative, instructed CSO.
As well as, NIST will not calculate severity scores for CVEs submitted with scores offered by the reporting group.
Safety leaders reliant on NIST enrichment might want to take inventory of their expertise inventories to see whether or not they fall below NIST’s precedence listing, Childs mentioned. That’s not straightforward.
“Discovery is one of the most difficult problems we’re dealing with,” he famous, including that it’s additionally not clear what software program really falls into the precedence class. “Software used by the federal government is a very vague statement.”
Mounting CVE counts — with AI flaw discovery on the rise
Childs shouldn’t be stunned that CVEs numbers have been going up, citing AI as a part of the explanation why.
“We’re already seeing more garbage CVEs — and more real CVEs — related to AIs,” he says.
Coping with these CVEs goes to be an enormous downside for firms. “People still don’t patch,” he says. “And we’re going to quadruple the number of patches they’re going to have to deploy. How do we build our defenses across the entire enterprise? I don’t know if we’ll get there before the bad guys do.”
In accordance with the Discussion board of Incident Response and Safety Groups (FIRST), 59,427 CVEs are anticipated to be submitted this yr, up from just a little over 48,000 in 2025. That makes 2026 the primary yr that CVEs will go the 50,000 milestone.
“The sheer velocity of vulnerability discovery and exploitation is unlike anything we’ve seen before,” FIRST CEO Chris Gibson instructed CSO.
FIRST has additionally modeled “realistic scenarios” by which the whole variety of CVEs cracks 100,000 for 2026 — however that was in February, earlier than Anthropic introduced Mythos, its vulnerability-finding AI mannequin many foresee as a structural shift for the cybersecurity trade.
“And if it’s not Mythos, or whatever else is coming out now, something is going to come out next week,” mentioned Empirical Safety founder Jay Jacobs, who additionally leads the Exploit Prediction Scoring System particular curiosity group at FIRST.
Nonetheless, Jacobs is optimistic that turning to expertise will assist NIST cope with rising CVE volumes.
“Harold Booth has a lot of experience and skill working with AI over the last few years,” Jacobs instructed CSO. “So I’m expecting him to bring some expertise and I hope we do see some AI news there.”
Each massive language fashions and AI brokers are on the company’s to-do listing, as is old style robotic course of automation (RPA), Sales space mentioned in his presentation at VulnCon, which Jacobs chairs. NIST additionally plans to delegate a number of the work to CVE Numbering Authorities (CNAs), which incorporates safety distributors and researchers.
