Cvss4 support in Dependency Track

[itmanju]

Current Behavior

currently we are not able to see Cvss4 scoring in Dependency Track

Proposed Behavior

As NVD supports CVSS4 scoring system for vulnerabilities it should also be shown in Dependency Track

Checklist

• [x] I have read and understand the contributing guidelines
• [x] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

We've been waiting on https://github.com/stevespringett/cvss-calculator/issues/78 as a precondition, but I think we might just switch to https://github.com/org-metaeffekt/metaeffekt-core instead.

[stohrendorf]

Switching to that is currently soft-blocked by https://github.com/org-metaeffekt/metaeffekt-core/issues/242 - there are workarounds possible, but they are pretty ugly.

[prabhushan]

This is critical as many CVEs with CRITICAL , HIGH SEVERITY falls under this bucket

[d-afanasiev]

Are there any updates on this issue? I noticed a vulnerability with Severity Unassigned, but it is actually a critical vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2025-7783

I assume it is Unassigned because it does not have CVSS 3.x.

It only has CVSS 4.0.

[stohrendorf]

Technically, DT can now handle 4.0, but it's not used anywhere yet.

[acaivano-vmt]

Any updates on this? We're looking to start moving over to CVSS 4.0 and Dependency Track can't be part of that move until that gets implemented.

[tobiasgies]

I have created pull request #5456 with an initial implementation of CVSSv4 support. For now my work is focused on the server side, though I plan to work on the frontend next. If you're tracking this issue, I would love to hear your feedback.