Hi GitHub,
Our automated CVSS enrichment pipeline detected some discrepancies between GitHub's provided vector and ours. Since this also passed a GitHub review, I thought it would be helpful to share my insights here, so that the vector or its justification might be corrected. For reference, this was the output from our AI pipeline: https://graph.volerion.com/view?id=CVE-2026-25921.
For the current vector, Scope is Changed (S:C), due to the stated supply-chain attack vector, but I believe this to be secondary impact that an attacker cannot expect to achieve for all or most instances of an attack against this product. Otherwise, including that 'appendage' would increase attack complexity via either AC (an automated system must later pull and utilize the poisoned source) or UI (a user does the same).
Additionally, A:L may have been set due to a common misconception regarding Availability impact. The vulnerable system is still fully available, albeit serving different content than intended, and therefore directly suffers a serious loss of integrity only.
The final vector would then be:
https://volerion.com/cvss/3.1#vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
With a changed base score from 9.3 to 7.5.
Thanks!
Hi GitHub,
Our automated CVSS enrichment pipeline detected some discrepancies between GitHub's provided vector and ours. Since this also passed a GitHub review, I thought it would be helpful to share my insights here, so that the vector or its justification might be corrected. For reference, this was the output from our AI pipeline: https://graph.volerion.com/view?id=CVE-2026-25921.
For the current vector, Scope is Changed (
S:C), due to the stated supply-chain attack vector, but I believe this to be secondary impact that an attacker cannot expect to achieve for all or most instances of an attack against this product. Otherwise, including that 'appendage' would increase attack complexity via eitherAC(an automated system must later pull and utilize the poisoned source) orUI(a user does the same).Additionally,
A:Lmay have been set due to a common misconception regarding Availability impact. The vulnerable system is still fully available, albeit serving different content than intended, and therefore directly suffers a serious loss of integrity only.The final vector would then be:
https://volerion.com/cvss/3.1#vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
With a changed base score from 9.3 to 7.5.
Thanks!