The US National Institute of Standards and Technology (NIST) is changing how it handles reported flaws as volumes surge and AI bug-hunting tools such as Mythos threaten to drive them higher, prompting calls for greater European control over cyber risk intelligence.

Traditionally, common vulnerabilities and exposures (CVEs) across software and hardware systems are tracked and analyzed by NIST, with a publicly accessible database providing exhaustive details on flaws, scores based on their severity, and possible fixes.

However, NIST said that it had seen a surge in vulnerabilities recently, with CVE submissions rising 263% between 2020 and 2025, and volumes in early 2026 continuing to climb sharply.

Under the new model, NIST will focus on an "enrichment list," centralizing efforts around flaws found in software used within the federal government.

This includes software systems deemed critical by the Biden-signed Executive Order on bolstering US cybersecurity, as well as vulnerabilities appearing in the Cybersecurity and Infrastructure Security Agency's (CISA’s) Known Exploited Vulnerabilities (KEV) Catalog.

Earlier this week, two new flaws were added to the list, with Microsoft Office and SharePoint products impacted.

Having handled some 42,000 instances in 2025, NIST has said that increased productivity is “not enough to keep up with growing submissions” and confirmed it will now focus only on the most critical CVEs.

US-centric model “disadvantages the global community”

Vulnerabilities outside those categories will still be listed in the National Vulnerability Database, but many will no longer automatically receive additional analysis such as severity scores, affected product mappings, and weakness classifications.

Security researchers said the decision reflects mounting pressure on the global CVE system, but warned it may leave organizations outside the US more exposed.

“The announcement from NIST doesn’t come as a major surprise, given they’ve previously telegraphed intent to move to a risk-based prioritization model for CVE enrichment,” said Caitlin Condon, vice president of Security Research at VulnCheck.

“On the plus side, NIST is clearly and publicly setting expectations for the community amid a huge and escalating rise in new vulnerabilities. But on the other hand, a significant portion of vulnerabilities now appear to have no clear path to enrichment for organizations relying on NIST as their authoritative (or only) source of CVE enrichment data,” she added.

According to Condon, the revised criteria risk narrowing a global problem through a domestic lens.

“It represents a fundamentally US government-centric view of risk that arguably leaves out significant portions of the global community."

Caitlin Condon, vice president of Security Research, VulnCheck

“Speaking one language” with decentralized reporting

Ben Marr, a security engineer at Intruder, said that the prioritization model may overlook common intrusion routes used in real-world breaches.

“The software classified as critical within the executive order covers a broad range of areas. However, many breaches start with an exposed panel or misconfigured endpoint within web applications,” he said.

“These would be deprioritized for enrichment under the new rules, potentially creating blind spots for defenders who are already struggling with prioritization.”

European officials and researchers point to initiatives such as the European Union’s European Vulnerability Database (EUVD) and the European Union’s decentralized GCVE - which launched in January – as alternative models to relying on solely US run vulnerability infrastructure.

He claimed that a more decentralized approach and interoperable model would reduce reliance on a single national system as AI-driven bug discovery increases the volume of new reported flaws.

“The EUVD helps us all speak one language and keeps us all protected from funding decisions one government may introduce.”

---

Unlock more exclusive Cybernews content on YouTube.