CVE-2023-27536
Announced by the #curl project back in March 2023. We deem it severity Low. https://curl.se/docs/CVE-2023-27536.html
NVD, in their infinite wisdom, thinks this is a CRITICAL 9.8 flaw: https://nvd.nist.gov/vuln/detail/CVE-2023-27536
I wish I knew how to fix this annoying problem but talking or whining to NVD certainly does not seem to help.
After my complaint the NVD has "downgraded" it to a 7.5 (high).
My response: you are scaremongering. It is not a high either.
@bagder 100% agreed that the CVSS scoring system and "assume the worst" guidance makes for scores that do not accurately reflect importance. Especially for very broad-use things.
My take on this is that, like it or not, more open source projects of note need to become "CNA" (certificate numbering authorities) of their own which I understand can given them some control over the content of CVEs filed against their project. https://www.cve.org/ProgramOrganization/CNAs
daniel:// stenberg://
Gregory P. Smith (he/him) 
🚲🦝 