OSV scheme basically relies on CVSS scores for "severity", which is fine, but I found a case where CVSS score was not specified, yet a severity existed. It was inside the "database_specific" field. I wonder if we should look for this as a backup.

Here is the example: https://osv.dev/vulnerability/GHSA-j436-h7hm-rx46