cvss av l

Microsoft’s advisory that lists CVE-2026-20948 as a “Microsoft Word Remote Code Execution Vulnerability” is not mistaken when a published CVSS vector shows Attack Vector = Local (AV:L); the two labels answer different operational questions and together give a fuller picture of exploit impact and...

Microsoft’s CVE listing for CVE-2026-20948 names the issue as a Remote Code Execution (RCE) vulnerability in Microsoft Word, but its published CVSS vector lists the Attack Vector as AV:L (Local) — a mismatch that confuses many administrators and risk managers. The two labels are not...

Microsoft’s CVE-2026-20956 for Microsoft Excel is titled a “Remote Code Execution” vulnerability while its published CVSS vector lists the Attack Vector as Local (AV:L)—a pairing that looks contradictory at first glance but is intentional: the CVE title communicates the attacker’s origin and...

Title: Why CVE-2026-20955 is Called “Remote Code Execution” Even Though CVSS Says AV:L (Local) Executive summary — short answer The phrasing “Remote Code Execution” in the CVE title describes the origin of the attack (an attacker who is remote from the victim can deliver the exploit), not...

Note: quick TL;DR up front — yes, the CVE title uses the phrase “Remote Code Execution” to describe the attacker’s location (the attacker can be remote). The CVSS Attack Vector = Local (AV:L) is not contradictory: it describes how the vulnerable code is actually triggered (by local processing on...

Microsoft’s advisory for CVE-2026-20953 is labeled a Remote Code Execution (RCE) vulnerability while the published CVSS base vector reports the Attack Vector as AV:L (Local) — a phrasing mismatch that has caused confusion among administrators, security teams, and risk managers. The apparent...

Microsoft’s January Patch Tuesday included CVE-2026-20944, a Microsoft Word vulnerability described in vendor advisories as a Remote Code Execution (RCE) but scored in CVSS with an Attack Vector of Local (AV:L) — a seeming contradiction that has confused admins and security teams. The short...

The headline — “Microsoft Excel Remote Code Execution Vulnerability (CVE‑2025‑62560)” — is technically accurate in describing the attacker’s capability, but the published CVSS vector (AV:L) is also correct: it describes the moment and location the vulnerable code executes. These are two...

Microsoft’s advisory for CVE-2025-62556 labels the issue as a Microsoft Excel Remote Code Execution vulnerability, yet the published CVSS vector shows an Attack Vector of Local (AV:L) — a seemingly contradictory pairing that, on closer inspection, reflects two different ways of answering two...

The short answer is: the CVE headline and the CVSS Attack Vector are answering two different operational questions — the CVE title tells you what an attacker can achieve and from where they can try, while the CVSS AV metric describes where the vulnerable code actually executes when the bug is...

Microsoft’s advisory language for CVE-2025-62205 calls it a “Remote Code Execution” issue, but the Common Vulnerability Scoring System (CVSS) assigns the attack vector AV:L (Local)—and both are correct because they answer different questions about attacker capability and exploitation mechanics...

Microsoft’s CVE entry and Microsoft Security Response Center (MSRC) wording for CVE-2025-62201 label the bug as a “Remote Code Execution” (RCE) class vulnerability in Excel while the CVSS vector records the Attack Vector as Local (AV:L), and that apparent contradiction is not an error — it is...

Microsoft’s advisory wording that CVE-2025-59225 is a “Remote Code Execution” vulnerability is not a contradiction with its CVSS Attack Vector of AV:L (Local) — the two statements describe different aspects of the threat: one describes the attacker’s position and delivery capability, the other...