In 2025, 62% of open-source common vulnerabilities and exposures (CVEs) were assigned over-stated severity scores, while 64% had no severity score assigned at all by the National Vulnerability Database.
Of those CVEs that were scored, nearly 62% while only approximately 19% accurately reflected Sonatype’s own severity categories.
The figures come from Sonatype’s latest report, which revealed significant flaws in many of the world’s leading vulnerability repositories, including false positives and over-stated severity scores.
Sonatype also discovered that there were 19,945 false positives and 156,474 false negatives based on advisory discrepancies, which affects the ability to accurately determine the threats associated with the issue and subsequently distorts both threat triage and automated scanning results.
Delayed Data and False Alerts
Further complicating matters was the time it takes for the NVD to score the vulnerability after it is publicly disclosed.
According to Sonatype, the average delay was 6 weeks between public disclosure and NVD scoring in 2025, with some entries taking over 50 weeks to receive a score. This time gap limits the practicality of the NVD data in terms of enabling teams to effectively prioritize patches during the operational window in which exploits are likely to occur.
Additionally, Sonatype’s research demonstrated that inconsistent or too broad advisory metadata lead to version-range errors that result in tens of thousands of false alerts.
Specific case studies indicated that vulnerable range errors resulted in misidentifying vulnerable ranges, ignoring outdated product branches, and mislabeling patched versions as affected.
Regulatory Compliance Implications
Sonatype warned that both the regulatory requirements and the technical implications of inaccurate or incomplete CVE data cannot be understated.
Many regulatory frameworks such as the US Executive Order 14028 and EU Cyber Resilience Act require use of CVE data in the creation of Software Bills of Material (SBOMs). Inaccurate or incomplete CVE data creates a risk of being “technically compliant but practically insecure.”
To correct these shortcomings, Sonatype recommended supplementing CVE Identifiers with context-rich, multi-sourced intelligence as well as:
- Using package-level version mapping.
- Using ecosystem-aware scoring based on exploit and patch data.
- Automatically correlating across advisories, commits, and exploitable activity.
With the increasing adoption of generative AI and autonomous coding agents in organizations, the accuracy of foundational vulnerability data is now an important factor, and the study indicates that defenders who modernize their data pipelines will be best positioned to reduce risk.
