During differential fuzzing with github.com/pandatix/go-cvss, I discovered that some invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error (using tag v1.4.4).

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v2/base"
)

func main() {
	vec, err := base.Decode("AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/rc:C")

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
err: <nil>

You can check this input is invalid by looking at the specification Table 13 which shows metrics are only uppercase.
This issue is similar to #15 but related to metrics directly and not their values.

Release v1.4.5