Security experts claim the CVE Program isn't up to scratch anymore - inaccurate scores and lengthy delays mean the system needs updated

Security experts claim the CVE Program isn't up to scratch anymore - inaccurate scores and lengthy delays mean the system needs updated

Briefly

"The world's most widely used vulnerability index - the Common Vulnerabilities and Exposures (CVE) system - is failing, with scores often inaccurate and appearing too late. According to from DevSecOps firm Sonatype, of the 1,552 open source vulnerabilities disclosed in 2025, 64% lacked severity scores from the National Vulnerability Database (NVD). Only 36% of open source CVEs had a CVSS score assigned by the NVD, while nearly half of all unscored vulnerabilities were rated 'Critical' or 'High' in severity."

"Over this year, there's been a mean delay of more than six weeks between disclosure and NVD scoring, with some advisories taking up to 50 weeks. This, researchers warned, is creating an operational bottleneck and placing enterprises globally at risk. "In an era where exploit proofs-of-concept appear within hours and patches land within days, such lag times make 'official' data functionally irrelevant. By the time NVD assigns a score, attackers have already exploited and moved on," researchers noted."

"Meanwhile, Sonatype found the ratings themselves are often unreliable. Of the CVEs that were scored, fewer than one-in-five severity ratings were correct. In 62% of cases, the severity of NVD scores was overstated, while 34% understated it. On top of that, 19,945 false positives and 156,474 false negatives were identified across CVE records, thereby wasting developer time and obscuring real threats."