After #10 and #13, I fuzzed again the implementation and discovered that other invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:n")

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: &{0xc0000a0a50 X X X X X X X X X X X map[]}
err: <nil>

You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the A (Availability) metric can only be equal to [H,L,N] (not their lowercase equivalent).
The root of this issue is validating lowercase equivalents, what is not compliant with the first.org specifications.