I agree with Solar Designer on #CVSS uselessness when rating library #vulnerabilities:
"What this tells us is that CVSS base scores are pretty much unusable for ranking library and interpreter vulnerabilities. Adding temporal and exploitability metrics may improve things, but also mostly when applied not just to the libraries, but to their specific uses. Since this is generally too hard, I think a future revision of CVSS should have adjustments in the base score for issues that are not directly exposed."
from: https://www.openwall.com/lists/oss-security/2024/12/25/3