diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
index 92f6c2896..96b64de9d 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
@@ -272,7 +272,9 @@ public class NvdCve20Handler extends DefaultHandler {
         final String cveName = vuln.getName();
         if (prevVersionVulnMap != null && prevVersionVulnMap.containsKey(cveName)) {
             final List<VulnerableSoftware> vulnSoftware = prevVersionVulnMap.get(cveName);
-            vuln.getVulnerableSoftware().addAll(vulnSoftware);
+            for (VulnerableSoftware vs : vulnSoftware) {
+                vuln.updateVulnerableSoftware(vs);
+            }
         }
         if (cveDB != null) {
             cveDB.updateVulnerability(vuln);