Hi GitHub,
Our automated CVSS enrichment pipeline detected some discrepancies between GitHub's provided vector and ours. Since this also passed a GitHub review, I thought it would be helpful to share my insights here, so that the vector or its justification might be corrected. For reference, this was the output from our AI pipeline: https://graph.volerion.com/view?id=CVE-2026-35035.
For the current vector, UI:N was set rather than UI:R, likely due to the fact that the Cross-Site Scripting payload triggers on the main landing page, but that is still considered user interaction in CVSS terms. i.e. the attacker cannot exploit this at will and user participation is required in some manner. This was later clarified in the documentation for CVSS v4.
Additionally, impact represents the delta change in capabilities and an attacker with administrator access already has complete or near-complete control over their domain, so C:H/I:H/A:H seems like an impossible stretch.
My suggestion would be to change UI:N to UI:R and C:H/I:H/A:H to C:L/I:L/A:N, which is the higher-scoring impact group taken from the subsequent browser system, rather than the potential low-integrity repudiation impact suffered by the vulnerable system.
The final vector would then be:
https://volerion.com/cvss/3.1#vector=CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
which comes down to a base score of 4.8, a serious downgrade from 9.1.
Thanks!
Hi GitHub,
Our automated CVSS enrichment pipeline detected some discrepancies between GitHub's provided vector and ours. Since this also passed a GitHub review, I thought it would be helpful to share my insights here, so that the vector or its justification might be corrected. For reference, this was the output from our AI pipeline: https://graph.volerion.com/view?id=CVE-2026-35035.
For the current vector,
UI:Nwas set rather thanUI:R, likely due to the fact that the Cross-Site Scripting payload triggers on the main landing page, but that is still considered user interaction in CVSS terms. i.e. the attacker cannot exploit this at will and user participation is required in some manner. This was later clarified in the documentation for CVSS v4.Additionally, impact represents the delta change in capabilities and an attacker with administrator access already has complete or near-complete control over their domain, so
C:H/I:H/A:Hseems like an impossible stretch.My suggestion would be to change
UI:NtoUI:RandC:H/I:H/A:HtoC:L/I:L/A:N, which is the higher-scoring impact group taken from the subsequent browser system, rather than the potential low-integrity repudiation impact suffered by the vulnerable system.The final vector would then be:
https://volerion.com/cvss/3.1#vector=CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
which comes down to a base score of 4.8, a serious downgrade from 9.1.
Thanks!