From ff61d91e3956a5eb341251a1ef013ae600d50082 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Fri, 30 Jan 2026 10:19:33 +0100
Subject: [PATCH] Add CVSS scores to Security tab

---
 .github/workflows/ci.yml              |  12 +++
 Cargo.lock                            |  82 ++++++++++++++----
 app/routes/crate/security.js          |  53 +++++++++---
 app/templates/crate/security.css      |  41 +++++++++
 app/templates/crate/security.gjs      |  28 ++++++-
 app/utils/cvss.js                     |  39 +++++++++
 crates/crates_io_cvss_wasm/Cargo.toml |  21 +++++
 crates/crates_io_cvss_wasm/lib.rs     | 114 ++++++++++++++++++++++++++
 e2e/acceptance/security.spec.ts       |  33 +++++++-
 ember-cli-build.js                    |   5 +-
 eslint.config.mjs                     |   1 +
 package.json                          |   8 +-
 pnpm-lock.yaml                        |  13 ++-
 script/precompress-assets.mjs         |   7 +-
 14 files changed, 415 insertions(+), 42 deletions(-)
 create mode 100644 app/utils/cvss.js
 create mode 100644 crates/crates_io_cvss_wasm/Cargo.toml
 create mode 100644 crates/crates_io_cvss_wasm/lib.rs

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 01867330333..5b0236f2f5d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -223,6 +223,10 @@ jobs:
           cache: pnpm
           node-version-file: package.json
 
+      - uses: taiki-e/install-action@735e5933943122c5ac182670a935f54a949265c1 # v2.52.4
+        with:
+          tool: wasm-pack
+
       - run: pnpm install
 
       - run: pnpm lint:hbs
@@ -260,6 +264,10 @@ jobs:
           cache: pnpm
           node-version-file: package.json
 
+      - uses: taiki-e/install-action@735e5933943122c5ac182670a935f54a949265c1 # v2.52.4
+        with:
+          tool: wasm-pack
+
       - run: pnpm install
 
       - if: github.repository == 'rust-lang/crates.io'
@@ -347,6 +355,10 @@ jobs:
           cache: pnpm
           node-version-file: package.json
 
+      - uses: taiki-e/install-action@735e5933943122c5ac182670a935f54a949265c1 # v2.52.4
+        with:
+          tool: wasm-pack
+
       - run: pnpm install
 
       - run: pnpm playwright install chromium
diff --git a/Cargo.lock b/Cargo.lock
index cee45bc5695..2a2a2ca208b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1312,6 +1312,16 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "console_error_panic_hook"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a06aeb73f470f66dcdbf7223caeebb85984942f22f1adb2a088cf9668146bbbc"
+dependencies = [
+ "cfg-if",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "const-oid"
 version = "0.9.6"
@@ -1528,6 +1538,17 @@ dependencies = [
  "tracing-subscriber",
 ]
 
+[[package]]
+name = "crates_io_cvss_wasm"
+version = "0.0.0"
+dependencies = [
+ "console_error_panic_hook",
+ "cvss",
+ "serde",
+ "serde-wasm-bindgen",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "crates_io_database"
 version = "0.0.0"
@@ -2059,6 +2080,12 @@ dependencies = [
  "cipher",
 ]
 
+[[package]]
+name = "cvss"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7fb220d3ce1b565af39cee5b89e47fd8dd1dab162900ee4363c8ee4169ee8a2"
+
 [[package]]
 name = "darling"
 version = "0.20.11"
@@ -3706,9 +3733,9 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.85"
+version = "0.3.77"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3"
+checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f"
 dependencies = [
  "once_cell",
  "wasm-bindgen",
@@ -5755,6 +5782,17 @@ dependencies = [
  "serde_derive",
 ]
 
+[[package]]
+name = "serde-wasm-bindgen"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8302e169f0eddcc139c70f139d19d6467353af16f9fce27e8c30158036a1e16b"
+dependencies = [
+ "js-sys",
+ "serde",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "serde_core"
 version = "1.0.228"
@@ -7069,25 +7107,37 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.108"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566"
+checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5"
 dependencies = [
  "cfg-if",
  "once_cell",
  "rustversion",
  "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6"
+dependencies = [
+ "bumpalo",
+ "log",
+ "proc-macro2",
+ "quote",
+ "syn",
  "wasm-bindgen-shared",
 ]
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.58"
+version = "0.4.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70a6e77fd0ae8029c9ea0063f87c46fde723e7d887703d74ad2616d792e51e6f"
+checksum = "555d470ec0bc3bb57890405e5d4322cc9ea83cebb085523ced7be4144dac1e61"
 dependencies = [
  "cfg-if",
- "futures-util",
  "js-sys",
  "once_cell",
  "wasm-bindgen",
@@ -7096,9 +7146,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.108"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608"
+checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -7106,22 +7156,22 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.108"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55"
+checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de"
 dependencies = [
- "bumpalo",
  "proc-macro2",
  "quote",
  "syn",
+ "wasm-bindgen-backend",
  "wasm-bindgen-shared",
 ]
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.108"
+version = "0.2.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12"
+checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d"
 dependencies = [
  "unicode-ident",
 ]
@@ -7141,9 +7191,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.85"
+version = "0.3.77"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "312e32e551d92129218ea9a2452120f4aabc03529ef03e4d0d82fb2780608598"
+checksum = "33b6dd2ef9186f1f2072e409e99cd22a975331a6b3591b12c764e0e55c60d5d2"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
diff --git a/app/routes/crate/security.js b/app/routes/crate/security.js
index a64e6255d47..6337594aa06 100644
--- a/app/routes/crate/security.js
+++ b/app/routes/crate/security.js
@@ -1,13 +1,38 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
+import { loadCvssModule, parseCvss } from 'crates-io/utils/cvss';
 import { versionRanges } from 'crates-io/utils/version-ranges';
 
-function extractCvss(advisory) {
+async function extractCvssWithScore(advisory) {
   // Prefer V4 over V3
   let cvssEntry =
     advisory.severity?.find(s => s.type === 'CVSS_V4') ?? advisory.severity?.find(s => s.type === 'CVSS_V3');
-  return cvssEntry?.score ?? null;
+
+  if (!cvssEntry?.score) {
+    return null;
+  }
+
+  // Parse the vector using WASM module to get calculated score and severity
+  try {
+    let parsed = await parseCvss(cvssEntry.score);
+    return {
+      vector: cvssEntry.score,
+      calculatedScore: parsed.score,
+      severity: parsed.severity,
+      version: parsed.version,
+      valid: parsed.valid,
+    };
+  } catch {
+    // Fallback to just returning the vector string
+    return {
+      vector: cvssEntry.score,
+      calculatedScore: null,
+      severity: null,
+      version: null,
+      valid: false,
+    };
+  }
 }
 
 async function fetchAdvisories(crateId) {
@@ -17,17 +42,22 @@ async function fetchAdvisories(crateId) {
     return [];
   } else if (response.ok) {
     let advisories = await response.json();
-    return advisories
-      .filter(
-        advisory =>
-          !advisory.withdrawn &&
-          !advisory.affected?.some(affected => affected.database_specific?.informational === 'unmaintained'),
-      )
-      .map(advisory => ({
+
+    // Filter advisories
+    let filtered = advisories.filter(
+      advisory =>
+        !advisory.withdrawn &&
+        !advisory.affected?.some(affected => affected.database_specific?.informational === 'unmaintained'),
+    );
+
+    // Process CVSS scores in parallel
+    return Promise.all(
+      filtered.map(async advisory => ({
         ...advisory,
         versionRanges: versionRanges(advisory),
-        cvss: extractCvss(advisory),
-      }));
+        cvss: await extractCvssWithScore(advisory),
+      })),
+    );
   } else {
     throw new Error(`HTTP error! status: ${response}`);
   }
@@ -44,6 +74,7 @@ export default class SecurityRoute extends Route {
         fetchAdvisories(crate.id),
         import('micromark'),
         import('micromark-extension-gfm'),
+        loadCvssModule(), // Pre-load WASM module
       ]);
 
       let convertMarkdown = markdown => {
diff --git a/app/templates/crate/security.css b/app/templates/crate/security.css
index f6786ff67d0..4223efab30b 100644
--- a/app/templates/crate/security.css
+++ b/app/templates/crate/security.css
@@ -65,3 +65,44 @@
 .cvss strong {
   margin-right: var(--space-2xs);
 }
+
+
+.cvss a {
+  font-family: monospace;
+  font-size: 0.9em;
+}
+
+:global(.severity-none),
+:global(.severity-low),
+:global(.severity-medium),
+:global(.severity-high),
+:global(.severity-critical) {
+  font-weight: 600;
+  padding: var(--space-4xs) var(--space-2xs);
+  border-radius: var(--space-4xs);
+}
+
+:global(.severity-none) {
+  background-color: light-dark(#e0e0e0, #424242);
+  color: light-dark(#616161, #bdbdbd);
+}
+
+:global(.severity-low) {
+  background-color: light-dark(#c8e6c9, #1b5e20);
+  color: light-dark(#2e7d32, #a5d6a7);
+}
+
+:global(.severity-medium) {
+  background-color: light-dark(#fff3e0, #e65100);
+  color: light-dark(#e65100, #ffe0b2);
+}
+
+:global(.severity-high) {
+  background-color: light-dark(#ffccbc, #bf360c);
+  color: light-dark(#d84315, #ffab91);
+}
+
+:global(.severity-critical) {
+  background-color: light-dark(#ffcdd2, #b71c1c);
+  color: light-dark(#c62828, #ef9a9a);
+}
diff --git a/app/templates/crate/security.gjs b/app/templates/crate/security.gjs
index 3ca688423f8..e55d65073bb 100644
--- a/app/templates/crate/security.gjs
+++ b/app/templates/crate/security.gjs
@@ -12,14 +12,28 @@ function aliasUrl(alias) {
 }
 
 function cvssUrl(cvss) {
-  // Extract version from CVSS string (e.g., "CVSS:3.1/..." -> "3.1")
-  let match = cvss.match(/^CVSS:(\d+\.\d+)\//);
+  if (!cvss?.vector) return null;
+  let match = cvss.vector.match(/^CVSS:(\d+\.\d+)\//);
   if (match) {
-    return `https://www.first.org/cvss/calculator/${match[1]}#${cvss}`;
+    return `https://www.first.org/cvss/calculator/${match[1]}#${cvss.vector}`;
   }
   return null;
 }
 
+function severityClass(severity) {
+  return `severity-${severity ?? 'none'}`;
+}
+
+function formatScoreDisplay(cvss) {
+  let score = cvss?.calculatedScore;
+  let severity = cvss?.severity;
+  if (score === null || score === undefined || Number.isNaN(score)) {
+    return 'N/A';
+  }
+  let capitalizedSeverity = severity ? severity.charAt(0).toUpperCase() + severity.slice(1) : '';
+  return `${score.toFixed(1)} (${capitalizedSeverity})`;
+}
+
 <template>
   <CrateHeader @crate={{@controller.crate}} />
   {{#if @controller.advisories.length}}
@@ -50,7 +64,13 @@ function cvssUrl(cvss) {
           {{#if advisory.cvss}}
             <div class='cvss' data-test-cvss>
               <strong>CVSS:</strong>
-              <a href={{cvssUrl advisory.cvss}}>{{advisory.cvss}}</a>
+              {{#if advisory.cvss.valid}}
+                <span class={{severityClass advisory.cvss.severity}} data-test-cvss-score>{{~formatScoreDisplay
+                    advisory.cvss
+                  ~}}</span>
+                —
+              {{/if}}
+              <a href={{cvssUrl advisory.cvss}}>{{advisory.cvss.vector}}</a>
             </div>
           {{/if}}
           {{htmlSafe (@controller.convertMarkdown advisory.details)}}
diff --git a/app/utils/cvss.js b/app/utils/cvss.js
new file mode 100644
index 00000000000..1d8c49cc5b1
--- /dev/null
+++ b/app/utils/cvss.js
@@ -0,0 +1,39 @@
+// Lazy-loaded CVSS WASM module
+let cvssModule = null;
+let loadingPromise = null;
+
+/**
+ * Load the CVSS WASM module.
+ * Returns a cached promise if already loading/loaded.
+ */
+export async function loadCvssModule() {
+  if (cvssModule) {
+    return cvssModule;
+  }
+
+  if (loadingPromise) {
+    return loadingPromise;
+  }
+
+  loadingPromise = import('crates_io_cvss_wasm')
+    .then(module => {
+      cvssModule = module;
+      return module;
+    })
+    .catch(error => {
+      console.error('Failed to load CVSS WASM module:', error);
+      throw error;
+    });
+
+  return loadingPromise;
+}
+
+/**
+ * Parse a CVSS vector and get score information.
+ * @param {string} vector - CVSS vector string
+ * @returns {Promise<{score: number, severity: string, version: string, valid: boolean, error?: string}>}
+ */
+export async function parseCvss(vector) {
+  let module = await loadCvssModule();
+  return module.parse_cvss(vector);
+}
diff --git a/crates/crates_io_cvss_wasm/Cargo.toml b/crates/crates_io_cvss_wasm/Cargo.toml
new file mode 100644
index 00000000000..c3c384823b9
--- /dev/null
+++ b/crates/crates_io_cvss_wasm/Cargo.toml
@@ -0,0 +1,21 @@
+[package]
+name = "crates_io_cvss_wasm"
+version = "0.0.0"
+license = "MIT OR Apache-2.0"
+repository = "https://github.com/rust-lang/crates.io"
+description = "WASM module for CVSS score calculation"
+edition = "2024"
+
+[lib]
+crate-type = ["cdylib", "rlib"]
+path = "lib.rs"
+
+[lints]
+workspace = true
+
+[dependencies]
+cvss = "2.2.0"
+wasm-bindgen = "0.2.100"
+serde = { version = "1.0.228", features = ["derive"] }
+serde-wasm-bindgen = "0.6.5"
+console_error_panic_hook = "0.1.7"
diff --git a/crates/crates_io_cvss_wasm/lib.rs b/crates/crates_io_cvss_wasm/lib.rs
new file mode 100644
index 00000000000..674e00248c0
--- /dev/null
+++ b/crates/crates_io_cvss_wasm/lib.rs
@@ -0,0 +1,114 @@
+//! WASM module for CVSS (Common Vulnerability Scoring System) score calculation.
+//!
+//! Provides functions to parse CVSS vector strings (v3.0, v3.1, v4.0)
+//! and calculate their scores and severity ratings.
+
+use std::{convert::Infallible, str::FromStr};
+
+use cvss::Cvss;
+use wasm_bindgen::prelude::*;
+
+/// Parse a CVSS vector string and calculate its score.
+///
+/// Supports CVSS v3.0, v3.1, and v4.0 vector strings.
+///
+/// # Arguments
+/// * `vector` - A CVSS vector string (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")
+///
+/// # Returns
+/// A JavaScript object with score, severity, version, valid flag, and optional error.
+#[wasm_bindgen]
+pub fn parse_cvss(vector: &str) -> JsValue {
+    let result = CvssResult::from_str(vector).unwrap();
+    serde_wasm_bindgen::to_value(&result).unwrap_or(JsValue::NULL)
+}
+
+/// Result of parsing and scoring a CVSS vector.
+#[derive(serde::Serialize)]
+pub struct CvssResult {
+    /// The calculated CVSS score (0.0 - 10.0)
+    pub score: f64,
+    /// The severity rating (None, Low, Medium, High, Critical)
+    pub severity: String,
+    /// The CVSS version (e.g., "3.0", "3.1", "4.0")
+    pub version: String,
+    /// Whether parsing was successful
+    pub valid: bool,
+    /// Error message if parsing failed
+    pub error: Option<String>,
+}
+
+impl FromStr for CvssResult {
+    type Err = Infallible;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match Cvss::from_str(s) {
+            Ok(cvss) => Ok(Self {
+                score: cvss.score(),
+                severity: cvss.severity().to_string(),
+                version: match cvss {
+                    Cvss::CvssV30(_) => "3.0".to_string(),
+                    Cvss::CvssV31(_) => "3.1".to_string(),
+                    Cvss::CvssV40(_) => "4.0".to_string(),
+                    _ => "Unknown".to_string(),
+                },
+                valid: true,
+                error: None,
+            }),
+            Err(error) => Ok(CvssResult {
+                score: 0.0,
+                severity: "Unknown".to_string(),
+                version: "Unknown".to_string(),
+                valid: false,
+                error: Some(error.to_string()),
+            }),
+        }
+    }
+}
+
+/// Initialize the WASM module with better panic messages.
+#[wasm_bindgen(start)]
+pub fn init() {
+    console_error_panic_hook::set_once();
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_cvss_v31_critical() {
+        let vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H";
+        let result = CvssResult::from_str(vector).unwrap();
+        assert!(result.valid);
+        assert_eq!(result.score, 9.8);
+        assert_eq!(result.severity, "critical");
+        assert_eq!(result.version, "3.1");
+    }
+
+    #[test]
+    fn test_cvss_v30() {
+        let vector = "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H";
+        let result = CvssResult::from_str(vector).unwrap();
+        assert!(result.valid);
+        assert_eq!(result.score, 9.8);
+        assert_eq!(result.version, "3.0");
+    }
+
+    #[test]
+    fn test_cvss_v4() {
+        let vector = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N";
+        let result = CvssResult::from_str(vector).unwrap();
+        assert!(result.valid);
+        assert_eq!(result.version, "4.0");
+        assert!(result.score > 0.0);
+    }
+
+    #[test]
+    fn test_invalid_vector() {
+        let vector = "invalid";
+        let result = CvssResult::from_str(vector).unwrap();
+        assert!(!result.valid);
+        assert!(result.error.is_some());
+    }
+}
diff --git a/e2e/acceptance/security.spec.ts b/e2e/acceptance/security.spec.ts
index 807a78406b1..04edca4aa3f 100644
--- a/e2e/acceptance/security.spec.ts
+++ b/e2e/acceptance/security.spec.ts
@@ -65,9 +65,11 @@ test.describe('Acceptance | crate security page', { tag: '@acceptance' }, () =>
       'https://github.com/advisories/GHSA-abcd-1234-efgh',
     );
 
-    // Check CVSS is displayed with link to calculator
+    // Check CVSS is displayed with calculated score and link to calculator
     await expect(advisory1.locator('[data-test-cvss]')).toBeVisible();
     await expect(advisory1.locator('[data-test-cvss]')).toContainText('CVSS:');
+    await expect(advisory1.locator('[data-test-cvss] span')).toHaveText('7.5 (High)');
+    await expect(advisory1.locator('[data-test-cvss] span')).toHaveClass(/severity-high/);
     await expect(advisory1.locator('[data-test-cvss] a')).toHaveText('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H');
     await expect(advisory1.locator('[data-test-cvss] a')).toHaveAttribute(
       'href',
@@ -247,7 +249,9 @@ test.describe('Acceptance | crate security page', { tag: '@acceptance' }, () =>
 
     let advisory = page.locator('[data-test-list] li').first();
     await expect(advisory.locator('[data-test-cvss]')).toBeVisible();
-    // Should show V4, not V3
+    // Should show V4 score (interpolated) and vector, not V3
+    await expect(advisory.locator('[data-test-cvss] span')).toHaveText('8.7 (High)');
+    await expect(advisory.locator('[data-test-cvss] span')).toHaveClass(/severity-high/);
     await expect(advisory.locator('[data-test-cvss] a')).toHaveText(
       'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N',
     );
@@ -257,6 +261,29 @@ test.describe('Acceptance | crate security page', { tag: '@acceptance' }, () =>
     );
   });
 
+  test('calculates CVSS 4.0 scores with interpolation', async ({ page, msw }) => {
+    let crate = await msw.db.crate.create({ name: 'cvss4-interp-test' });
+    await msw.db.version.create({ crate, num: '1.0.0' });
+
+    let advisories = [
+      {
+        id: 'TEST-CVSS-INTERP',
+        summary: 'Advisory with CVSS 4.0 requiring interpolation',
+        details: 'Testing interpolation calculation.',
+        severity: [{ type: 'CVSS_V4', score: 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N' }],
+      },
+    ];
+
+    await msw.worker.use(http.get('https://rustsec.org/packages/:crateId.json', () => HttpResponse.json(advisories)));
+    await page.goto('/crates/cvss4-interp-test/security');
+
+    let advisory = page.locator('[data-test-list] > li').first();
+    await expect(advisory.locator('[data-test-cvss]')).toBeVisible();
+    // Should calculate to 4.1 with interpolation (not 4.6 from simple lookup)
+    await expect(advisory.locator('[data-test-cvss] span')).toHaveText('4.1 (Medium)');
+    await expect(advisory.locator('[data-test-cvss] span')).toHaveClass(/severity-medium/);
+  });
+
   test('supports CVSS 3.0 vectors', async ({ page, msw }) => {
     let crate = await msw.db.crate.create({ name: 'cvss30-test' });
     await msw.db.version.create({ crate, num: '1.0.0' });
@@ -275,6 +302,8 @@ test.describe('Acceptance | crate security page', { tag: '@acceptance' }, () =>
 
     let advisory = page.locator('[data-test-list] > li').first();
     await expect(advisory.locator('[data-test-cvss]')).toBeVisible();
+    await expect(advisory.locator('[data-test-cvss] span')).toHaveText('9.8 (Critical)');
+    await expect(advisory.locator('[data-test-cvss] span')).toHaveClass(/severity-critical/);
     await expect(advisory.locator('[data-test-cvss] a')).toHaveText('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H');
     await expect(advisory.locator('[data-test-cvss] a')).toHaveAttribute(
       'href',
diff --git a/ember-cli-build.js b/ember-cli-build.js
index f66a0c358cb..4388aa7eaa1 100644
--- a/ember-cli-build.js
+++ b/ember-cli-build.js
@@ -47,7 +47,7 @@ module.exports = function (defaults) {
     },
 
     fingerprint: {
-      extensions: ['js', 'css', 'png', 'jpg', 'gif', 'map', 'svg', 'ttf', 'woff', 'woff2'],
+      extensions: ['js', 'css', 'png', 'jpg', 'gif', 'map', 'svg', 'ttf', 'woff', 'woff2', 'wasm'],
     },
 
     sourcemaps: {
@@ -67,6 +67,9 @@ module.exports = function (defaults) {
     staticModifiers: true,
     packagerOptions: {
       webpackConfig: {
+        experiments: {
+          asyncWebAssembly: true,
+        },
         externals: ({ request, context }, callback) => {
           // Prevent `@mswjs/data` from bundling the `msw` package.
           //
diff --git a/eslint.config.mjs b/eslint.config.mjs
index 93475fc986c..fc9e0a98282 100644
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -25,6 +25,7 @@ export default [
     ignores: [
       '.git/**/*',
       'crates/',
+      'packages/crates-io-cvss-wasm/',
       'playwright-report/',
       'svelte/',
       'target/',
diff --git a/package.json b/package.json
index 05b4515fd21..98dd30d46ec 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,10 @@
     "test": "tests"
   },
   "scripts": {
-    "build": "ember build --environment=production && node ./script/precompress-assets.mjs",
+    "build": "pnpm build:wasm && ember build --environment=production && node ./script/precompress-assets.mjs",
+    "build:wasm": "wasm-pack build crates/crates_io_cvss_wasm --target bundler --out-dir ../../packages/crates-io-cvss-wasm --out-name cvss",
+    "postbuild:wasm": "prettier --write packages/crates-io-cvss-wasm/*.js",
+    "prelint:deps": "pnpm build:wasm",
     "lint:deps": "ember dependency-lint",
     "lint:hbs": "ember-template-lint app",
     "lint:js": "eslint . --cache",
@@ -29,7 +32,9 @@
     "start:live": "ember serve --proxy https://crates.io",
     "start:local": "ember serve --proxy http://127.0.0.1:8888",
     "start:staging": "ember serve --proxy https://staging-crates-io.herokuapp.com",
+    "pretest": "pnpm build:wasm",
     "test": "ember test",
+    "pree2e": "pnpm build:wasm",
     "e2e": "playwright test",
     "e2e:svelte": "TEST_APP=svelte playwright test"
   },
@@ -66,6 +71,7 @@
   },
   "dependencies": {
     "@floating-ui/dom": "1.7.4",
+    "crates_io_cvss_wasm": "workspace:*",
     "@juggle/resize-observer": "3.4.0",
     "@sentry/ember": "10.36.0",
     "chart.js": "4.5.1",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 7b827e57e20..1044a365abd 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -30,6 +30,9 @@ importers:
       chart.js:
         specifier: 4.5.1
         version: 4.5.1
+      crates_io_cvss_wasm:
+        specifier: workspace:*
+        version: link:packages/crates-io-cvss-wasm
       date-fns:
         specifier: 4.1.0
         version: 4.1.0
@@ -351,6 +354,8 @@ importers:
         specifier: 4.0.18
         version: 4.0.18(@types/node@24.10.9)(@vitest/browser-playwright@4.0.18)(jiti@2.6.1)(jsdom@25.0.1)(msw@2.12.7(@types/node@24.10.9)(typescript@5.9.3))(terser@5.46.0)(yaml@2.8.2)
 
+  packages/crates-io-cvss-wasm: {}
+
   packages/crates-io-msw:
     dependencies:
       '@msw/data':
@@ -2363,8 +2368,8 @@ packages:
       rollup:
         optional: true
 
-  '@rollup/wasm-node@4.57.0':
-    resolution: {integrity: sha512-EmuVEJWCxlkA/HIe9IJUSSXUXj3mw3w/4NDHhdu2KLCfBUOsjHMOWWrVzTGySmdaua0E120LSQ5ojDGfi+tA/Q==}
+  '@rollup/wasm-node@4.57.1':
+    resolution: {integrity: sha512-b0rcJH8ykEanfgTeDtlPubhphIUOx0oaAek+3hizTaFkoC1FBSTsY0GixwB4D5HZ5r3Gt2yI9c8M13OcW/kW5A==}
     engines: {node: '>=18.0.0', npm: '>=8.0.0'}
     hasBin: true
 
@@ -12485,7 +12490,7 @@ snapshots:
       estree-walker: 2.0.2
       picomatch: 4.0.3
 
-  '@rollup/wasm-node@4.57.0':
+  '@rollup/wasm-node@4.57.1':
     dependencies:
       '@types/estree': 1.0.8
     optionalDependencies:
@@ -21168,7 +21173,7 @@ snapshots:
       fdir: 6.5.0(picomatch@4.0.3)
       picomatch: 4.0.3
       postcss: 8.5.6
-      rollup: '@rollup/wasm-node@4.57.0'
+      rollup: '@rollup/wasm-node@4.57.1'
       tinyglobby: 0.2.15
     optionalDependencies:
       '@types/node': 24.10.9
diff --git a/script/precompress-assets.mjs b/script/precompress-assets.mjs
index e63c0d65fdd..3e0d496af82 100644
--- a/script/precompress-assets.mjs
+++ b/script/precompress-assets.mjs
@@ -5,9 +5,10 @@ import { constants, createBrotliCompress, createGzip } from 'node:zlib';
 
 import { globby } from 'globby';
 
-let paths = await globby(['**/*.css', '**/*.html', '**/*.js', '**/*.map', '**/*.svg', '**/*.txt', '**/*.xml'], {
-  cwd: 'dist',
-});
+let paths = await globby(
+  ['**/*.css', '**/*.html', '**/*.js', '**/*.map', '**/*.svg', '**/*.txt', '**/*.wasm', '**/*.xml'],
+  { cwd: 'dist' },
+);
 
 for (let path of paths) {
   let fullPath = `dist/${path}`;