NIST narrows vulnerability database focus amid overwhelming surge in reported flaws

The National Institute of Standards and Technology announced Wednesday it is narrowing its priorities for the National Vulnerability Database, responding to an overwhelming surge in reported security flaws. NIST will now focus its analysis only on vulnerabilities listed in CISA's known exploited catalog, software used The agency said CVE submissions increased 263% between 2020 and 2025, with submissions in the first three months of 2026 already one-third higher than the same period last year. NIST analyzed nearly 42,000 vulnerabilities last year but has been unable to clear a backlog that accumulated after a 2024 funding lapse forced a temporary pause in metadata provision. "This will allow us to focus on CVEs with the greatest potential for widespread impact," NIST said in a blog post. "While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk." Security researchers described the move as inevitable given the growing volume of vulnerabilities. Microsoft addressed 165 flaws in its monthly patch Tuesday, the company's second-largest batch on record. "They had to do something. NIST was woefully behind on classifying CVEs and would likely never have caught up," said Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative. According to VulnCheck data, only 1% of the more than 40,000 vulnerabilities published last year were actually exploited in the wild. The prioritization shift aims to help defenders concentrate on the most critical threats. NIST also said CVEs submitted with severity ratings will no longer receive separate CVSS scores from the agency, reducing duplication of effort. The changes reflect a broader industry trend toward more selective vulnerability management as the volume of reported flaws continues to accelerate.