Skip to content

Comments

Add CVSS 3.1 severity for GHSA-qjm7-55vv-3c5f#6944

Merged
advisory-database[bot] merged 1 commit intogithub:sunnypatell/advisory-improvement-6944from
sunnypatell:add-cvss31-GHSA-qjm7-55vv-3c5f
Feb 17, 2026
Merged

Add CVSS 3.1 severity for GHSA-qjm7-55vv-3c5f#6944
advisory-database[bot] merged 1 commit intogithub:sunnypatell/advisory-improvement-6944from
sunnypatell:add-cvss31-GHSA-qjm7-55vv-3c5f

Conversation

@sunnypatell
Copy link

@sunnypatell sunnypatell commented Feb 17, 2026

adds CNA-sourced CVSS 3.1 severity score to this advisory which currently has no CVSS scoring.

  • source: NVD (CNA-provided)
  • score: 3.5 (LOW)
  • vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Copilot AI review requested due to automatic review settings February 17, 2026 20:07
@github-actions github-actions bot changed the base branch from main to sunnypatell/advisory-improvement-6944 February 17, 2026 20:09
@sunnypatell sunnypatell force-pushed the add-cvss31-GHSA-qjm7-55vv-3c5f branch from a74d8d2 to 31af42a Compare February 17, 2026 20:11
Copilot AI reviewed Feb 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@shelbyc
Copy link
Contributor

shelbyc commented Feb 17, 2026

Hi @sunnypatell, the only change I made was setting attack vector to network. I'm not sure how VulDB got an attack vector of adjacent for a ReDoS.

@advisory-database advisory-database bot merged commit 88ecc6d into github:sunnypatell/advisory-improvement-6944 Feb 17, 2026
1 check passed
@advisory-database
Copy link
Contributor

advisory-database bot commented Feb 17, 2026

Hi @sunnypatell! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@shelbyc shelbyc mentioned this pull request Feb 17, 2026
Merged
@sunnypatell
Copy link
Author

sunnypatell commented Feb 18, 2026

good catch @shelbyc. NVD actually rescored this as AV:N in their primary assessment too, overriding VulDB's AV:A. looking at it more closely, both this one (mel-spintax, text parsing) and #6945 (sisimai, email parsing) had identical VulDB vectors despite being completely different packages, which suggests templated scoring rather than actual per-CVE analysis. both process input that arrives over the network so AV:A never made sense. will cross-reference CNA vectors against NVD's primary assessment on future vuldb-sourced submissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunnypatell @shelbyc