[GHSA-h4j7-5rxr-p4wc] Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability

[udlose]

Updates

• CVSS v3

Comments

• The CVSS rating of Low for this advisory does not match the CVSS rating of High in CVE.org - CVE-2025-26646
• The CVSS rating of 0/10 for this advisory does not match the CVSS rating of 8.0 in CVE.org - CVE-2025-26646

[github]

Hi there @rbhanda! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull Request Overview

This PR addresses discrepancies in CVSS ratings for the Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability advisory by updating the severity section and a modified timestamp in the JSON file.

• Updated modified timestamp.
• Removed the CVSS_V3 severity object in favor of using the CVSS_V4 score only.

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2025/05/GHSA-h4j7-5rxr-p4wc/GHSA-h4j7-5rxr-p4wc.json:11

• Removing the CVSS_V3 severity object may lead to discrepancies with external CVSS ratings referenced in the advisory comments. Consider adding a clarifying note in the advisory details to specify that only the CVSS_V4 score is used to ensure consistency across sources.

{ "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }

[github]

Hi there @rbhanda! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[github]

Hi there @rbhanda! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[udlose]

@victorisr, @rbhanda please also update your announcement here: GHSA-h4j7-5rxr-p4wc

[advisory-database]

Hi @udlose! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[shelbyc]

Hi @udlose, I agree with changing the CVSS of GHSA-h4j7-5rxr-p4wc to match the CVSS chosen by the Microsoft Corporation CNA. I can't change the repository advisory, but the global advisory has been updated to reflect the CVSS provided at https://nvd.nist.gov/vuln/detail/CVE-2025-26646.