Well, okay, to put it more diplomatically, people have one understanding of what constitutes "RCE."

jc0f0116@infosec.exchange

Well, okay, to put it more diplomatically, people have one understanding of what constitutes "RCE." For the purposes of CVSS scoring and CVE classification, there is another, different meaning of "RCE" than what they have in mind. It's an antiquated, insufficient system that doesn't capure a lot of context (local-local vs local-remote/remote-local, 0click half-click one-click two-click etc) or do anything to mitigate against spam/sybiling. CNAs do not really care or have time to care, they just assign+patch. So when you see "RCE" these days you have to take it with a grain of salt.