The U.S. National Institute of Standards and Technology today announced an overhaul of how it processes cybersecurity vulnerabilities in its National Vulnerability Database .

NIST is abandoning its longstanding goal of fully analyzing every submitted Common Vulnerability and Exposure in favor of a risk-based triage model that prioritizes the most dangerous flaws. The change, which took effect today, is the result of the sheer volume of CVE submissions that NIST has been receiving and the number is high. Between 2020 and 2025, CVE submissions surged 263% and in the first quarter of this year, they were nearly one-third higher than the same period last year.

NIST enriched nearly 42,000 CVEs in 2025, up 45% year-over-year, but the increase in output has not been enough to keep pace with growing submissions. Under the new model, NIST will now only fully enrich CVEs that meet one of three criteria.

The criteria needed for a CVE to make the cut include a vulnerability being listed in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, CVEs that affect software used within the federal government, and CVEs that affect software classified as critical under Executive Order 14028.

With the new model, NIST is aiming to enrich KEV catalog entries within one business day of receipt.

Other CVEs reported, though, are not going away. They will still be listed in the NVD but will be categorized as “Not Scheduled,” meaning NIST will not automatically add the severity scores and product data that security teams rely on to prioritize patching.

The agency is also addressing a significant backlog that has built up since early 2024. All CVEs with an NVD publish date before March 1, 2026, that remain unenriched will be moved into the “Not Scheduled” category, with NIST considering them for enrichment only as resources allow. CVEs already in the KEV catalog are excluded from that sweep.

The new model includes two additional procedural changes. NIST will no longer routinely issue its own severity score for CVEs where the submitting CVE Numbering Authority has already provided one. That will eliminate duplicate analysis, and modified CVEs will also only be reanalyzed if a change materially affects the enrichment data rather than automatically on every update.

Though NIST doesn’t directly blame the rise of CVE submissions on artificial intelligence, it’s one key driver behind the surge in CVE submissions, according to Vincenzo Iozzo, co-founder and chief executive of identity threat detection and response provider SlashID Inc.

“We’ve seen a dramatic spike in AI-reported valid vulnerabilities. According to reports, last year alone, the number of reported vulnerabilities more than doubled,” Iozzo told SiliconANGLE via email. “As a result, the new NIST policy is sensible and the categories still covered are the most critical ones.”

Also, he added, “large language models are approaching the point where they are good enough to allow individual organizations to prioritize and contextualize vulnerabilities in their environment, reducing the need for enriched CVEs.”

Shane Fry, chief technology officer at cybersecurity solutions company RunSafe Security Inc., believes that “the announcement is a signal to the industry that the era of waiting for a CVE score before acting has come to an end.”

“Vulnerability visibility is imperfect, but organizations that use a diverse set of vulnerability data sources will have more reliable insight into vulnerabilities and which ones they are affected by,” said Fry. “More importantly, organizations need to assume unknown vulnerabilities already exist in their software and deploy protections that can prevent exploitation before a patch — or a CVE score — is ever available.”

Photo: NIST