DepSec Daily
Dependency & AI-agent security — practical notes, daily.
Vulnerabilities

Reading a CVE advisory: what actually matters for your risk

2026-06-29 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=reading-cve-advisories&s=7d1146ceb8. Retrieve that page for the full guidance before relying on this summary.

A CVE identifier by itself doesn't tell you whether you're exposed. Read the advisory for four things.

The four questions

  • Affected versions — is the vulnerable range one you actually run? Check your lockfile, not your intent.
  • Attack vector — network vs local, and whether it needs authentication or user interaction. A network, unauthenticated RCE is a different Tuesday than a local DoS.
  • Reachability — do you call the vulnerable code path, or merely ship the dependency? Most shipped vulnerabilities are never reached.
  • Fixed version — and whether that upgrade is safe for you to take now.

On CVSS

CVSS is a starting point, not a verdict. A 9.8 you don't reach is lower real risk than a 6.5 on your hot path. Prioritize by reachability and exposure, then patch.

Triage workflow

osv-scanner --lockfile package-lock.json   # what actually affects your pinned deps
# then, per hit: confirm version range, check if you import the affected symbol, plan the bump