sub to_xpath_str_literal {
    my ($s) = @_;
    return qq{"$s"} if $s !~ /"/;
    return qq{'$s'} if $s !~ /'/;
    $s =~ s/'/',"'",'/g;
    return qq{concat('$s')};
}

my $cve_id_lit = to_xpath_str_literal($cve_id);
for my $entry ($xp->findnodes("/nvd/entry[\@id=$cve_id_lit]")) {
    my ($metrics) = $entry->findnodes('vuln:cvss/cvss:base_metrics');
    my $av = $metrics->find('cvss:access-vector');
    my $ac = $metrics->find('cvss:access-complexity');
    ...
}