Tag
#cvss
4 posts tagged #cvss.
-
Analysis · Jun 3, 2026 · Colten Anderson
Everything is critical, so nothing is critical
A third of last year's CVEs were rated High or Critical, but only a few percent ever get exploited. The severity score was never a risk score, and the queue that treats it like one is the reason confirmed-exploited bugs sit unpatched for 43 days.
-
Analysis · May 20, 2026 · Colten Anderson
When the catalog says 'authenticated' and the researcher says it isn't
The KEV entry for CVE-2023-40044 calls it an authenticated attack. The researchers who found it demonstrated remote code execution with no login at all. When your authoritative sources disagree about whether a bug needs credentials, plan around the scarier answer.
-
Analysis · May 14, 2026 · Colten Anderson
Does this CVE actually apply to you? Three filters before you patch
Single-score triage fails in both directions: 10.0s that don't apply, 4.3s that get exploited for 13 days. Three filters reduce the queue.
-
Analysis · May 5, 2026 · Colten Anderson
The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot
CVE-2025-49706 scored CVSS 6.5. It enabled unauthenticated RCE across 400+ SharePoint servers. Authentication bypasses are consistently underscored, and consistently the vulnerability class that turns a bad bug into a mass-exploitation campaign.