[GHSA-9mv3-2cwr-p262] Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege

[rbhanda]

Updates

• CVSS v3
• Severity

Comments
updating CVSS for PR to N

[github]

Hi there @bribrothers! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the GitHub Security Advisory record for GHSA-9mv3-2cwr-p262 by adjusting the CVSS v3 vector and escalating the overall severity to reflect the revised scoring.

Changes:

• Updated the CVSS v3.1 vector from PR:L to PR:N
• Changed severity from HIGH to CRITICAL

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Changing PR:L to PR:N materially alters the base score and implied exploit prerequisites. Please ensure this vector exactly matches the authoritative source (e.g., MSRC/NVD) and that any computed numeric CVSS score fields (if present elsewhere in this advisory format) remain consistent with this vector; otherwise consumers may display conflicting severity/scoring.

[Copilot]

With the severity bumped to CRITICAL, it would help to keep the record internally consistent by ensuring the severity aligns with the CVSS base score implied by the updated vector (and any severity mapping rules used in this repo). If the repo has a convention of deriving severity from CVSS rather than setting it manually, consider updating/adding a comment or metadata field indicating the source of the severity decision to reduce future churn.