During a security assesment I found that an application wrote JavaScript from input fields directly in the database. The application it self had good output sanitization so no XSS was possible in that application. A different application that used the same data didn't have good output sanitization and had a XSS vulnerability, which has been fixed since then.
So wat I have now is a finding that input data is not properly validated, which might pose problems for applications that do not sanitize output well but not in the current application. What CVSS score would I put on that? I cannot well make it a high vulnerability because it is impossible to exploit now. But in the future it could pose problems and I do want it fixed in the context of "defense in depth"
Question: What would the CVSS score be for a non-exploitable input validation vulnerability?