Plagued by the growing number of security flaws, the National Institute of Standards and Technology (NIST) has announced significant changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs).
Instead of committing to providing enrichment for all entries in the National Vulnerability Database (NVD), the agency will focus on the most important CVEs, “which will allow us to stabilize the system while developing the automated systems and workflow improvements needed for long-term development.”
From then on, NIST will focus on CVEs from CISA’s Known Exploited Vulnerabilities (KEV) catalog. “Our goal is to enrich these within one business day of receipt,” the organization said.
Some of the more important CVEs will include those in software used by the federal government and other critical software.
All other CVEs will still be added to NVD, but they will be classified as “unplanned,” meaning that NIST will no longer prioritize their enrichment.
It is broken by the backlog
According to NIST, the backlog of CVEs began to accumulate in early 2024, and the agency was unable to clear it due to the increase in deployments.
Shipments increased by 263% between 2020 and 2025, according to the agency, and almost a third of the injuries reported in Q1 2026 than the same period last year.
The agency, which stockpiled nearly 42,000 CVEs by 2025, 45% more than any previous year, now faces a total backlog of more than 30,000 CVEs, said Harold Booth, technology and program leader at NIST, at this week’s VulnCon cybersecurity conference.
SOURCE:
CSO
As a result, NIST will now stop profiling all but the most critical vulnerabilities.
Backlogged CVEs discovered before March 1 will also be labeled “unfixed.” None of these are serious risks, NIST says, because those have always been dealt with first.
“They just came out and said, ‘We’re not going to get past this backlog,'” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CSO.
In addition, NIST will no longer calculate the severity score of submitted CVEs with the score assigned by the reporting organization.
Security leaders who rely on NIST’s development will need to check their technology inventory to see if they fall under NIST’s priority list, Childs said. That’s not easy.
“Discovery is one of the most difficult problems we face,” he noted, adding that it’s also unclear what software actually falls into the critical category. “The software used by the federal government is a vague statement.”
Increasing CVE statistics – with AI error detection increasing
Childs is not surprised that the numbers of CVEs have been on the rise, citing AI as part of the reason why.
“We’re already seeing a lot of garbage CVEs — and real CVEs — related to AIs,” he says.
Addressing these CVEs will be a major challenge for companies. “People aren’t done,” he says. “And we’re going to double the number of episodes they’re going to have to use. How do we build our defenses across the business? I don’t know if we’ll get there before the bad guys do.”
According to the Forum for Incident Response and Security Teams (FIRST), 59,427 CVEs are expected to be deployed this year, up from just over 48,000 in 2025. That makes 2026 the first year that CVEs will surpass the 50,000 milestone.
“The speed of vulnerability discovery and exploitation is unlike anything we’ve seen before,” FIRST CEO Chris Gibson told CSO.
FIRST also modeled “realistic scenarios” where the total number of CVEs breaks 100,000 by 2026 — but that was in February, before Anthropic announced Mythos, its AI vulnerability detection model that many foresee as a structural shift in the cybersecurity industry.
“And if it’s not Mythos, or whatever else comes out now, something will come out next week,” said Empirical Security founder Jay Jacobs, who also leads the Exploit Prediction Scoring System special team at FIRST.
Still, Jacobs hopes that turning to technology will help NIST deal with rising CVE volumes.
“Harold Booth has had a lot of experience and expertise working with AI over the last few years,” Jacobs told CSO. “So I expect him to bring technology and hopefully we’ll see some AI news there.”
Both large-scale language models and AI agents are on the organization’s to-do list, as is traditional robotic process automation (RPA), Booth said in a speech at VulnCon, which is Jacobs’ chair. NIST also plans to delegate some work to CVE Numbering Authorities (CNAs), which include security vendors and researchers.
