You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
cvss vector explained
About this tag
The tag 'cvss vector explained' covers the interpretation of CVSS vectors, particularly when the Attack Vector field appears to conflict with a vulnerability's headline classification. A detailed thread on WindowsForum.com examines Microsoft's CVE-2026-20952, an Office RCE vulnerability where the CVSS vector shows AV:L (Local) despite the Remote Code Execution label. The discussion clarifies that the CVE headline describes the attacker's location and ultimate impact, while the CVSS Attack Vector specifies where the vulnerable code executes at exploitation time. This tag helps users understand how to read CVSS vectors correctly and resolve apparent mismatches between CVSS metrics and vulnerability descriptions.
Microsoft’s CVE entry for the Office vulnerability CVE‑2026‑20952 is labeled a “Remote Code Execution” issue even though the published CVSS vector shows the Attack Vector as Local (AV:L) — this is intentional language, not an error: the CVE headline signals where the attacker can be located and...