The osv tells this is a 10.0 critical cve https://osv.dev/vulnerability/GHSA-9qr9-h5gf-34mp while the nist did not even provide a base score. We should fallback to the OSV score if we do not already have one available.

https://nvd.nist.gov/vuln/detail/CVE-2025-66478