VMDR Release 2.7 

October 29, 2025 (Updated on November 18, 2025)

New Tokens

The following new tokens are added to Risk Acceptance Rules in VMDR > Responses. 

• vulnerabilities.nonExploitableService
• vulnerabilities.vulnerability.category
• vulnerabilities.vulnerability.title
• vulnerabilities.qualysPatchable
• vulnerabilities.vulnerability.patchAvailable
• gcp.compute.instanceId

QQL Token: Deprecation of the asset.riskScore token

In this release, we have deprecated the asset.riskScore QQL token from the Create New Tag dialog. You can no longer create tags using this token. The token is deprecated because the risk scores are dynamic and change approximately every four hours based on asset conditions and threat intelligence. Using such a rapidly-changing metric for grouping assets can lead to inconsistent tagging, unstable automation workflows, and inaccurate reporting.

There is no replacement token for asset.riskScore. For reliable results, use consistent asset attributes instead of risk scores when creating tags.

For more information about this deprecated QQL token, see VMDR Release 0.10.0.

The deprecated QQL token does not affect existing tags created using this token. 

Issue Addressed

The following reported and notable customer issue is fixed in this release.

Category/Component

Issue

Vulnerabilities Details

Clarified CVE Visibility in Understanding the Qualys Vulnerability Score for CVEs topic.  Previously, the topic did not clearly specify which CVEs are displayed in the different sections of the QID details, leading to confusion about CVE visibility. The documentation has been updated to clarify that: General Information: Displays all CVEs associated with the QID, including those published by NVD, as well as private or reserved CVEs. CVE Details: Displays only the CVEs that contribute to the QDS/QVS score. This update helps you better understand which CVEs appear in each section and how they relate to the vulnerability scoring.