In some instances, you may find that artifacts in Xray will be detected as having vulnerabilities with an unknown severity. This means that while Xray was able to identify a given artifact as vulnerable, there were no CVEs attached to the vulnerability.
This can occur because not all the sources from which information is collected will have a valid CVE with an official CVSS severity score. Typically, there will be some security implications associated with such artifacts but, lacking a CVSS score, Xray can only indicate that the vulnerability severity level is “unknown.”