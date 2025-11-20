A new report finds that the Common Vulnerabilities and Exposures (CVE) system struggles to keep pace with the realities of modern software development.

The study from Sonatype analyzed 1,552 open source vulnerabilities disclosed in 2025 and found that nearly two-thirds (64 percent) lacked severity scores from the National Vulnerability Database (NVD).

“The CVE program was never built for the scale and speed of modern, component-based software development. That has been the case with open source, and is even more true with AI,” says Brian Fox, CTO and co-founder of Sonatype. “Vulnerability intelligence must shift from indexing what someone assigned yesterday, to delivering real-time insight into what’s actually running in your environment. CVE remains a shared language -- but it can’t be the full story anymore. We need intelligence that is dynamic: version-aware, ecosystem-aware and ready at machine-speed.”

With only 36 percent of open source CVEs having a CVSS score assigned by the NVD, teams are only able to effectively triage in a third of cases. On review by Sonatype, nearly half of all un-scored vulnerabilities were scored in the Critical or High range.

Accuracy is unreliable too. Of the CVEs that were scored, fewer than one in five severity ratings were correct; 62 percent of NVD scores overstated severity while 34 percent understated it. On top of that, 19,945 false positives and 156,474 false negatives were identified across CVE records -- wasting developer time and obscuring real threats.

Timeliness is also an issue. 2025 saw a mean delay of more than six weeks between disclosure and NVD scoring, with some advisories taking up to 50 weeks. This signals that the CVE/NVD pipeline can’t keep pace with today’s exploit timelines, turning ‘official’ data into an operational bottleneck.

The full report is on the Sonatype site.

Image Credit: Fuji Agung/Dreamstime.com