10.0 is mentioned in the blog post - I don't follow CVE nomenclature closely but that's the score, right? And it's as bad as it can get?

I assume the CVE website would normally have this info but it's only showing the number as reserved right now.

This fixes an account take over issue https://about.gitlab.com/releases/2024/01/11/critical-securi...