@maxbob @bagder I doubt curl could ever get a CVSSv3.1 10.0 unless there's some buried option to let it run as a service in the background unattended, listening on the network.

It'd pretty well always require user interaction, which caps a score at 9.6.

I could imagine some scenarios where like, if it was vulnerable to something a server could do in response to a request you could maybe get it up to that 9.6, but it would always be a 9.6 for curl as a utility itself.

Applications that link libcurl and use it for process urls and handle responses could maybe be higher in this hypothetical scenario but that wouldn't be down to curl itself.