NIST Limits CVE Enrichment Amid 30% Surge in Vulnerability Submissions
The National Institute of Standards and Technology (NIST) has announced a pivotal shift in its approach to tracking cybersecurity vulnerabilities, acknowledging a staggering increase in bug submissions. This change marks a significant departure from its long-standing commitment to catalog every cybersecurity vulnerability and exposure (CVE).
NIST has stated that it will now only enrich records of vulnerabilities that meet specific criteria, a decision driven by the overwhelming volume of submissions. The agency typically enhances CVE records with detailed descriptions and severity scores after they are submitted to the National Vulnerability Database (NVD). However, NIST’s recent statement indicates that the sheer number of submissions has rendered this task unmanageable.
In the first quarter of 2026, submissions surged nearly 30% compared to the same period in 2025. NIST reported that it enriched approximately 42,000 CVEs in 2025, a 45% increase over previous years. Despite this heightened productivity, the agency has recognized that it is insufficient to keep pace with the growing influx of vulnerabilities.
NIST clarified that while CVEs not meeting the new criteria will still be listed, they will not receive additional information—a process known as “enrichment.” Starting immediately, NIST will focus on enriching only those CVEs that appear in a federal catalog of exploited vulnerabilities curated by the Cybersecurity and Infrastructure Security Agency (CISA). Vulnerabilities added to this catalog will be enriched within one day of notification from CISA. Additionally, CVEs associated with products used by the federal government and software classified as “critical” will also receive enrichment.
This strategic pivot allows NIST to concentrate its resources on the most critical vulnerabilities while developing automated systems and workflow enhancements for long-term sustainability. The agency’s decision comes amid growing concerns from cybersecurity experts and industry stakeholders about the implications of artificial intelligence in vulnerability detection. The democratization of AI code review tools has led to an influx of new vulnerabilities, some of which may be minor but still pose risks to widely-used products.
Recent advancements in AI cybersecurity have raised alarms about autonomous systems capable of discovering and exploiting vulnerabilities without human intervention. This evolving landscape has prompted NIST to reassess its operational capabilities and priorities.
In 2024, NIST faced a crisis when budget cuts resulted in 90% of vulnerability submissions going unaddressed. CISA intervened during this period, enriching thousands of vulnerabilities on NIST’s behalf as a consortium was formed to strategize future actions. A senior leader at the NVD noted that the agency’s staff remained at 21, even as the number of vulnerabilities continued to escalate.
In response to the challenges faced by NIST, dozens of cybersecurity experts signed a letter to Congress and Secretary of Commerce Gina Raimondo, urging increased funding and support for the NVD. They emphasized the critical role of the NVD in enabling organizations across both public and private sectors to defend against vulnerability exploitation attacks.
The letter underscored the importance of transparent communication from NIST regarding its operational challenges, expressing concern over the potential loss of functionality that could affect the cybersecurity community.
CVE Backlog Left Behind
NIST has repeatedly pledged to address the backlog of CVEs throughout 2024 and 2025. However, the agency admitted that it would be impossible to enrich the thousands of records resulting from previous funding issues. As part of the new prioritization criteria, NIST announced that all backlogged CVEs with an NVD publish date prior to March 1, 2026, will be categorized as “Not Scheduled.”
NIST will sift through the backlog to identify vulnerabilities that meet the new criteria, prioritizing them for enrichment. The agency acknowledged that even vulnerabilities not meeting the new standards could significantly impact affected systems, and the new rules may not capture every potentially high-impact CVE. Researchers can still request CVE enrichment by contacting NIST directly.
Furthermore, NIST will no longer assign its own severity scores to submitted CVEs, opting instead to rely on the scores provided by submitters. The agency believes these changes will help maintain the reliability and sustainability of the database as a public resource for cybersecurity vulnerabilities.
NIST recognized that these adjustments would affect users but emphasized that a risk-based approach is necessary to manage the current surge in CVE submissions. The agency aims to align its efforts with the needs of the NVD community.
Trey Ford from Bugcrowd remarked that NIST’s acknowledgment reflects a long-standing understanding within the research community: centralizing vulnerability triage at such a scale is untenable. He noted that the true drivers of remediation priority stem from real-world exploitability rather than database metadata, necessitating continuous engagement from human researchers in live environments.
The evolution of vulnerability management programs is likely to focus on active, distributed signals rather than relying solely on periodic enrichment cycles.
For further details on this development, refer to the original reporting source: therecord.media.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
