The U.S. National Institute of Standards and Technology (NIST) has announced a major shift in how it processes cybersecurity vulnerabilities, limiting detailed analysis of Common Vulnerabilities and Exposures (CVEs) due to a sharp rise in submissions. The decision comes as the volume of reported vulnerabilities has grown significantly, making it increasingly difficult for the agency to maintain its traditional approach of enriching every CVE entry.
The move is largely driven by a 263% increase in CVE submissions between 2020 and 2025, a trend that shows no signs of slowing down. In the first three months of 2026 alone, submissions were nearly one-third higher compared to the same period last year. Despite efforts to scale operations, including enriching nearly 42,000 CVEs in 2025, the growing backlog has made it unsustainable to provide detailed analysis for every reported vulnerability.
Under the new approach, which took effect on April , 2026, NIST will prioritize enrichment based on risk and potential impact. CVEs that fall under key categories—such as those listed in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, vulnerabilities affecting federal government systems, or those tied to critical software—will receive detailed analysis. Other CVEs will still be listed in the National Vulnerability Database (NVD) but may be marked as “Not Scheduled” and will not be automatically enriched.
The updated system is designed to help NIST focus on vulnerabilities that pose the greatest systemic risk, rather than attempting to process all submissions equally. However, this shift may leave a significant number of vulnerabilities without detailed insights, potentially impacting organizations that rely heavily on NVD data for threat assessment and mitigation strategies. Experts have noted that while the prioritization improves efficiency, it may also create gaps in visibility for less critical but still relevant threats.
In addition to limiting enrichment, NIST has introduced several operational changes to manage workload more effectively. These include reducing duplicate severity scoring when already provided by CVE authorities, reanalyzing vulnerabilities only when necessary, and moving older backlog entries into a “Not Scheduled” category. The agency has also updated its dashboard and status labels to provide clearer, real-time insights into CVE processing.
The decision highlights a broader challenge in the cybersecurity landscape, where the rapid growth in disclosed vulnerabilities is outpacing manual analysis capabilities. As organizations continue to face an expanding threat surface, the shift toward risk-based prioritization signals a need for more automated and scalable approaches to vulnerability management in the future.
 has announced a major shift in how it processes cybersecurity...){kind=link}