The average number of open-source vulnerabilities in commercial codebases increased by a history-making 107% in 2024, Black Duck’s 2026 Open Source Security and Risk Analysis (OSSRA) report revealed Wednesday.The increase in vulnerabilities correlates with an overall increase in codebase size and complexity, with the average number of files per codebase increasing by 74% and the average number of open-source components increasing by 30%.Black Duck cited the rise of AI coding assistants as a likely driver of an unprecedented surge in overall code volume between 2023 and 2025, as well as one of many factors in the correlating increase in vulnerabilities.The OSSRA report is based on audits of 947 codebases across 17 industries, totaling 2,843 individual projects, between November 2024 and October 2025. Code bases are scanned against Black Duck’s KnowledgeBase, which includes data from more than 10 million open-source projects and 317,000 open-source vulnerabilities.
Related reading:
The overall vulnerability count can include the same vulnerability present in multiple parts of a codebase, while unique vulnerabilities refers to the number of distinct vulnerabilities (i.e. CVEs) across the entire codebase.On average, codebases contained 581 vulnerabilities and 237 unique vulnerabilities in 2025, with the maximum vulnerabilities in a single codebase reaching 38,998. The median number of vulnerabilities was 78, a 32% increase from the previous year.“While 581 vulnerabilities per application sounds dramatic, it’s largely transitive dependency sprawl, inherited multiple layers deep,” Saumitra Das, vice president of engineering at Qualys, noted in comments to SC Media. “The 107% year-over-year increase reflects compounding complexity, not careless development.”The most common CVEs were CVE-2020-11022 and CVE-2020-11023, two medium-severity cross-site scripting (XSS) flaws in jQuery, each present in 28% of codebases. CVE-2020-11023 was added to the Cybersecurity and Infrastructure Security Agency’s Know Exploited Vulnerabilities (CISA KEV) catalog in January 2025.Despite the overall increase in vulnerabilities, the average number of codebases containing high-severity and critical vulnerabilities decreased by 3 and 4 percentage points, respectively, between 2024 and 2025. Still, critical vulnerabilities were found in 44% of codebases, and high-severity flaws in 78%.AI was considered to be one potential factor in the increase in open-source vulnerabilities present, as it increases the pace of development and therefore the rate at which new dependences are added to codebases, according to Black Duck. AI is also more likely to suggest popular and well-established open-source libraries with more documented vulnerabilities due to their widespread use and increased scrutiny.“There are no rules that AI-assisted growth has to follow. It adds code, dependencies, and architectural choices at a speed that is faster than what standard review and fix processes can handle,” Randolph Barr, CISO at Cequence Security, told SC Media. “The growing gap between the speed of innovation and the maturity of governance is what I find most important.”Another likely factor in the increase is the overall increase in open-source vulnerability disclosures during the study time period, partly driven by the addition of the Linux Kernel team as a CVE Numbering Authority (CNA) in early 2024. As a result, more than 5,000 Linux Kernel vulnerabilities were disclosed during the auditing period, the report notes.
Application security, DevSecOps, Vulnerability Management, Patch/Configuration Management, Critical Infrastructure Security, Supply chain

Open-source vulnerabilities per codebase surge by 107%


Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



