The U.S. National Institute of Standards and Technology (NIST) has announced a significant operational change for its National Vulnerability Database (NVD). To address record-breaking Common Vulnerability and Exposure (CVE) submissions, NIST is moving from a full analysis of every submission to a risk-based triage model. This new approach prioritizes the most critical cybersecurity flaws.

CVE submissions have surged dramatically, increasing by 263% between 2020 and 2025. This year's first quarter saw submissions nearly a third higher than the previous year. Despite enriching nearly 42,000 CVEs in 2025, a 45% increase, NIST's output has not kept pace with the influx.

Under the revised model, NIST will now fully enrich only those CVEs that meet specific critical criteria: inclusion in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog, vulnerabilities affecting U.S. federal government software, or those impacting software classified as critical under Executive Order 14028.

NIST aims to enrich KEV catalog entries within one business day. Other submitted CVEs will still be listed but marked as “Not Scheduled,” meaning NIST will not automatically provide severity scores or detailed product data needed for patch prioritization.

This change also addresses a backlog of unenriched CVEs from before March 1, 2026, which will be moved to the “Not Scheduled” category. NIST will consider them for enrichment only as resources permit, excluding those already in the KEV catalog.

Procedural updates include NIST no longer issuing its own severity score when a submitting authority has already provided one, reducing redundant analysis. Modified CVEs will also be reanalyzed only if the change materially affects enrichment data.

While not directly attributing the surge to AI, experts note its role. Vincenzo Iozzo, CEO of SlashID Inc., stated that the increase in AI-reported vulnerabilities has doubled reported vulnerabilities, making NIST's new policy sensible and focused on the most critical flaws. He added that large language models are improving, enabling organizations to better contextualize vulnerabilities themselves.

Shane Fry, CTO of RunSafe Security Inc., views the announcement as a signal that the era of waiting for a CVE score before acting is over. He advises organizations to utilize diverse vulnerability data sources for more reliable insights and to assume unknown vulnerabilities exist, deploying protections that prevent exploitation before patches or scores are available.