Including CVE References in Release Notes

CVE References in Release Notes

When a vulnerability has been assigned a CVE (Common Vulnerabilities and Exposures) identifier, your release notes should reference it in a standardized way that helps security teams assess and track the issue.

Standard CVE Reference Format

### Security

- **CVE-2026-12345** (CVSS 7.5 High): SQL injection in query
  builder when using unsanitized user input with `dynamicWhere()`.
  CWE-89.
  - **Affected:** v1.5.0 - v1.8.2
  - **Fixed:** v1.8.3, v1.7.6 (LTS)
  - **Workaround:** Sanitize all user input before passing to
    `dynamicWhere()`
  - **Credit:** @researcher-name
  - **Advisory:** [GHSA-xxxx-xxxx-xxxx](link)

CVE Metadata

Field	Example	Purpose
CVE ID	CVE-2026-12345	Unique identifier in NVD
CVSS Score	7.5 (High)	Standardized severity rating
CWE	CWE-89	Vulnerability classification
GHSA	GHSA-xxxx-xxxx-xxxx	GitHub Security Advisory ID

CVSS Severity Ranges

Score	Rating
0.0	None
0.1 - 3.9	Low
4.0 - 6.9	Medium
7.0 - 8.9	High
9.0 - 10.0	Critical

Machine-Readable Format

For automated vulnerability scanning, consider adding structured data:

{
  "advisories": [
    {
      "id": "CVE-2026-12345",
      "severity": "high",
      "cvss": 7.5,
      "cwe": "CWE-89",
      "affected_versions": ">=1.5.0 <1.8.3",
      "fixed_versions": ["1.8.3", "1.7.6"],
      "description": "SQL injection in dynamicWhere()"
    }
  ]
}

Linking to Resources

Always link to:

• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-12345
• GitHub Advisory: if hosted on GitHub
• Your own advisory page: with full details and mitigation steps

Timeline in Advisory

2026-01-15: Vulnerability reported
2026-01-17: Confirmed and assigned CVE
2026-02-01: Fix developed and tested
2026-02-15: Fix released (this release)
2026-03-15: Full disclosure published