Brief: Modification of the CVSS scoring system in Cert-IST’s advisories and alerts

Date : January 07, 2026

Today, the criticality of vulnerabilities in Cert-IST advisories and alerts is evaluated using two metrics: EISPP and CVSS version 3. The release of CVSS 4.0 in November 2023 requires an evolution of our security advisories and alerts in order to take this new version into account. A description of CVSS 4.0 was already published in our October 2025 Bulletin (issue 337), entitled “CVSS 4.0 in Cert-IST Advisories”, including a comparison with the previous version.

Starting on April 1, 2026, all new advisories published by Cert-IST will be evaluated using CVSS version 4.0. The EISPP assessment will remain unchanged.

Regarding updates to advisories created before April 1, 2026, the CVSS version used at the time of creation will remain unchanged. For example, an advisory created in 2025 using CVSS version 3 will keep its CVSS version 3 evaluation even if it is updated after March 31, 2026.

Concerning the XML format, the optional attribute version="3.0" will be updated, and the base and temporal vector tags will reflect the new CVSS v4 assessment model (new criteria). It is worth noting that scores will continue to be expressed on a 1–10 scale.

Example of current XML code tags for vulnerability scoring in v3:

<Vulnerability_Score>
    <CVSS version="3.0">
        <cvss_issuer>CERT-IST</cvss_issuer>
        <cvss_vuln_id>CERT-IST/AV-2026.0186</cvss_vuln_id>
        <cvss_base_score>8.8</cvss_base_score>
        <cvss_base_vector>AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</cvss_base_vector>
        <cvss_temporal_score>7.7</cvss_temporal_score>
        <cvss_temporal_vector>AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C</cvss_temporal_vector>
    </CVSS>
</Vulnerability_Score>

Example of the new XML code tags for vulnerability scoring in v4:

<Vulnerability_Score>
    <CVSS version="4.0">
        <cvss_issuer>CERT-IST</cvss_issuer>
        <cvss_vuln_id>CERT-IST/AV-2025.2006</cvss_vuln_id>
        <cvss_base_score>8.7</cvss_base_score>
        <cvss_base_vector>AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N</cvss_base_vector>
        <cvss_temporal_score>7.4</cvss_temporal_score>              <cvss_temporal_vector>AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P</cvss_temporal_vector>
    </CVSS>
</Vulnerability_Score>

If you have any questions or would like additional information about this evolution, which will be implemented starting on April 1, 2026, please feel free to contact us.

Previous Previous Next Next Print Print

© 2026 Cert-IST