NIST Limits CVE Enrichment Following 30% Surge in Vulnerability Submissions

The National Institute of Standards and Technology (NIST) has announced a significant change in its methodology for tracking cybersecurity vulnerabilities, citing an unprecedented increase in bug submissions. This shift represents a departure from NIST’s long-standing practice of cataloging every cybersecurity vulnerability and exposure (CVE).

NIST has indicated that it will now only enhance records of vulnerabilities that meet specific criteria, a decision prompted by the overwhelming volume of submissions. Traditionally, the agency has enriched CVE records with detailed descriptions and severity scores after they are submitted to the National Vulnerability Database (NVD). However, NIST’s recent statement reveals that the sheer number of submissions has made this task unmanageable.

In the first quarter of 2026, submissions surged nearly 30% compared to the same period in 2025. NIST reported that it enriched approximately 42,000 CVEs in 2025, marking a 45% increase over previous years. Despite this heightened productivity, the agency acknowledged that it is insufficient to keep pace with the growing influx of vulnerabilities.

New Criteria for CVE Enrichment

NIST clarified that while CVEs not meeting the new criteria will still be listed, they will not receive additional information—a process known as “enrichment.” Effective immediately, NIST will focus on enriching only those CVEs that appear in a federal catalog of exploited vulnerabilities curated by the Cybersecurity and Infrastructure Security Agency (CISA). Vulnerabilities added to this catalog will be enriched within one day of notification from CISA. Additionally, CVEs associated with products used by the federal government and software classified as “critical” will also receive enrichment.

This strategic pivot allows NIST to concentrate its resources on the most critical vulnerabilities while developing automated systems and workflow enhancements for long-term sustainability. The agency’s decision comes amid growing concerns from cybersecurity experts and industry stakeholders regarding the implications of artificial intelligence in vulnerability detection. The democratization of AI code review tools has led to an influx of new vulnerabilities, some of which may be minor yet still pose risks to widely-used products.

Recent advancements in AI cybersecurity have raised alarms about autonomous systems capable of discovering and exploiting vulnerabilities without human intervention. This evolving landscape has prompted NIST to reassess its operational capabilities and priorities.

Historical Context and Challenges

In 2024, NIST faced a crisis when budget cuts resulted in 90% of vulnerability submissions going unaddressed. During this period, CISA intervened, enriching thousands of vulnerabilities on NIST’s behalf as a consortium was formed to strategize future actions. A senior leader at the NVD noted that the agency’s staff remained at 21, even as the number of vulnerabilities continued to escalate.

In response to the challenges faced by NIST, dozens of cybersecurity experts signed a letter to Congress and Secretary of Commerce Gina Raimondo, urging increased funding and support for the NVD. They emphasized the critical role of the NVD in enabling organizations across both public and private sectors to defend against vulnerability exploitation attacks. The letter underscored the importance of transparent communication from NIST regarding its operational challenges, expressing concern over the potential loss of functionality that could affect the cybersecurity community.

CVE Backlog and Future Prioritization

NIST has repeatedly pledged to address the backlog of CVEs throughout 2024 and 2025. However, the agency admitted that it would be impossible to enrich the thousands of records resulting from previous funding issues. As part of the new prioritization criteria, NIST announced that all backlogged CVEs with an NVD publish date prior to March 1, 2026, will be categorized as “Not Scheduled.”

NIST will sift through the backlog to identify vulnerabilities that meet the new criteria, prioritizing them for enrichment. The agency acknowledged that even vulnerabilities not meeting the new standards could significantly impact affected systems, and the new rules may not capture every potentially high-impact CVE. Researchers can still request CVE enrichment by contacting NIST directly.

Furthermore, NIST will no longer assign its own severity scores to submitted CVEs, opting instead to rely on the scores provided by submitters. The agency believes these changes will help maintain the reliability and sustainability of the database as a public resource for cybersecurity vulnerabilities.

NIST recognized that these adjustments would affect users but emphasized that a risk-based approach is necessary to manage the current surge in CVE submissions. The agency aims to align its efforts with the needs of the NVD community.

Industry Reactions and Future Directions

Trey Ford from Bugcrowd remarked that NIST’s acknowledgment reflects a long-standing understanding within the research community: centralizing vulnerability triage at such a scale is untenable. He noted that the true drivers of remediation priority stem from real-world exploitability rather than database metadata, necessitating continuous engagement from human researchers in live environments.

The evolution of vulnerability management programs is likely to focus on active, distributed signals rather than relying solely on periodic enrichment cycles.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-04-16 09:06:00 • By the Editorial Desk