{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","type":"alpm","namespace":"archlinux","name":"gitlab","version":"14.5.0-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"14.5.2-1","latest_non_vulnerable_version":"15.2.1-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256788?format=json","vulnerability_id":"VCID-17gb-vdxv-fqc4","summary":"Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39918","reference_id":"","reference_type":"","scores":[{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45083","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45239","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4532","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45342","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45285","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4534","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45362","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4533","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45332","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45383","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45379","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45329","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45246","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45187","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39918"},{"reference_url":"https://security.archlinux.org/AVG-2604","reference_id":"AVG-2604","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2604"}],"fixed_packages":[],"aliases":["CVE-2021-39918"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-17gb-vdxv-fqc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256810?format=json","vulnerability_id":"VCID-1f4t-7du8-q3ex","summary":"A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39938","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33233","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33591","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33923","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33954","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33808","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.3385","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33882","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33881","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33839","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33814","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33853","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33807","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33441","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33423","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33341","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39938"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39938"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1f4t-7du8-q3ex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256803?format=json","vulnerability_id":"VCID-5t99-3qbr-sfdj","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39933","reference_id":"","reference_type":"","scores":[{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40339","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.4068","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40764","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40791","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40715","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40765","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40772","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40757","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40738","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40783","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40753","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40675","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.4058","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40567","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40484","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39933"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39933"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5t99-3qbr-sfdj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256812?format=json","vulnerability_id":"VCID-6ns1-mx95-5ffe","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39940","reference_id":"","reference_type":"","scores":[{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40339","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.4068","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40764","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40791","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40715","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40765","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40772","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40757","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40738","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40783","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40753","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40675","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.4058","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40567","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40484","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39940"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39940"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ns1-mx95-5ffe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256804?format=json","vulnerability_id":"VCID-71j9-ra1c-6uhm","summary":"Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39934","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47969","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48044","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48081","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48102","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48052","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48105","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.481","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48123","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48099","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4811","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48163","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48158","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48112","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48093","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48049","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39934"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39934"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-71j9-ra1c-6uhm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256809?format=json","vulnerability_id":"VCID-989x-8yn6-eqc8","summary":"A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39937","reference_id":"","reference_type":"","scores":[{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35152","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35511","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35713","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35738","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35619","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35665","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35688","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35698","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35653","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35631","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.3567","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35661","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35609","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35371","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.35351","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00151","scoring_system":"epss","scoring_elements":"0.3527","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39937"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39937"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-989x-8yn6-eqc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256807?format=json","vulnerability_id":"VCID-99uy-2jrp-u7cx","summary":"Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39936","reference_id":"","reference_type":"","scores":[{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56812","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56802","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56896","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56918","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56894","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56946","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56949","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56957","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56937","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56914","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56943","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.5694","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56917","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56857","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56874","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.56858","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39936"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39936"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-99uy-2jrp-u7cx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256818?format=json","vulnerability_id":"VCID-9mm8-knzf-a3gb","summary":"Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39945","reference_id":"","reference_type":"","scores":[{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47547","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47628","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47666","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47687","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47636","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47691","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47711","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47688","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47697","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47753","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47746","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47698","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47679","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47633","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39945"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39945"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9mm8-knzf-a3gb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256782?format=json","vulnerability_id":"VCID-9wuq-32s1-nydy","summary":"Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39915","reference_id":"","reference_type":"","scores":[{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50277","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50338","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50393","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50423","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50375","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50429","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50422","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50463","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.5044","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50425","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50468","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50472","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50449","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50394","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50404","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50355","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39915"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39915"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9wuq-32s1-nydy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256789?format=json","vulnerability_id":"VCID-buuk-gsy3-w7bp","summary":"In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39919","reference_id":"","reference_type":"","scores":[{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20541","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20853","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.21004","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.2106","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20774","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20915","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20931","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20887","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20836","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20826","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20818","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.208","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20681","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20677","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.20645","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39919"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39919"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-buuk-gsy3-w7bp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256776?format=json","vulnerability_id":"VCID-gvwq-zqmf-ruak","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39910","reference_id":"","reference_type":"","scores":[{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39121","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.3947","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.3962","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39642","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39559","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39613","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39628","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39638","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39601","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39585","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39636","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39606","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39523","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39343","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39328","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39246","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39910"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39910"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gvwq-zqmf-ruak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256786?format=json","vulnerability_id":"VCID-h8td-pdxx-y7en","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a DOS attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39917","reference_id":"","reference_type":"","scores":[{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59769","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59687","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.5976","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59784","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59753","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59805","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59818","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59838","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59822","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59804","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59841","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59848","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59832","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59803","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59821","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.59806","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39917"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39917"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h8td-pdxx-y7en"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256798?format=json","vulnerability_id":"VCID-j8nr-cgq2-ubf9","summary":"Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39930","reference_id":"","reference_type":"","scores":[{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47643","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47719","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47757","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47777","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47726","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.4778","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47776","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47801","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47787","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47842","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47834","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.4777","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47727","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39930"},{"reference_url":"https://security.archlinux.org/AVG-2604","reference_id":"AVG-2604","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2604"}],"fixed_packages":[],"aliases":["CVE-2021-39930"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j8nr-cgq2-ubf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256800?format=json","vulnerability_id":"VCID-m6c7-dfbf-r7gr","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39931","reference_id":"","reference_type":"","scores":[{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.4847","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48538","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48574","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48597","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48549","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48603","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48599","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.4862","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48593","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48606","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48656","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48651","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48608","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48604","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48554","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39931"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39931"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m6c7-dfbf-r7gr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256784?format=json","vulnerability_id":"VCID-n2jn-c1k6-67b9","summary":"Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39916","reference_id":"","reference_type":"","scores":[{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51413","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51418","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51469","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51497","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51456","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.5151","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51508","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51551","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.5153","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51518","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51561","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.5157","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51549","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51502","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39916"},{"reference_url":"https://security.archlinux.org/AVG-2604","reference_id":"AVG-2604","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2604"}],"fixed_packages":[],"aliases":["CVE-2021-39916"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n2jn-c1k6-67b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256806?format=json","vulnerability_id":"VCID-t8nq-hx26-kfc7","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39935","reference_id":"","reference_type":"","scores":[{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97378","published_at":"2026-04-01T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97384","published_at":"2026-04-02T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97389","published_at":"2026-04-04T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97391","published_at":"2026-04-07T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97397","published_at":"2026-04-08T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97398","published_at":"2026-04-09T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.974","published_at":"2026-04-11T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97401","published_at":"2026-04-12T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97402","published_at":"2026-04-13T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.9741","published_at":"2026-04-16T12:55:00Z"},{"value":"0.41434","scoring_system":"epss","scoring_elements":"0.97413","published_at":"2026-04-18T12:55:00Z"},{"value":"0.54604","scoring_system":"epss","scoring_elements":"0.98041","published_at":"2026-04-29T12:55:00Z"},{"value":"0.54604","scoring_system":"epss","scoring_elements":"0.98049","published_at":"2026-05-05T12:55:00Z"},{"value":"0.58412","scoring_system":"epss","scoring_elements":"0.98209","published_at":"2026-04-26T12:55:00Z"},{"value":"0.58412","scoring_system":"epss","scoring_elements":"0.98206","published_at":"2026-04-21T12:55:00Z"},{"value":"0.58412","scoring_system":"epss","scoring_elements":"0.98208","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39935"},{"reference_url":"https://hackerone.com/reports/1236965","reference_id":"1236965","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:23:46Z/"}],"url":"https://hackerone.com/reports/1236965"},{"reference_url":"https://gitlab.com/gitlab-org/gitlab/-/issues/346187","reference_id":"346187","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:23:46Z/"}],"url":"https://gitlab.com/gitlab-org/gitlab/-/issues/346187"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"},{"reference_url":"https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json","reference_id":"CVE-2021-39935.json","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:23:46Z/"}],"url":"https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39935"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t8nq-hx26-kfc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256817?format=json","vulnerability_id":"VCID-uzq6-eukx-8yhv","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39944","reference_id":"","reference_type":"","scores":[{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38606","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38955","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39141","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39163","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39082","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39137","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39153","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39165","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39128","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39109","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39164","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39133","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39045","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38836","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38813","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38729","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39944"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39944"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uzq6-eukx-8yhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256813?format=json","vulnerability_id":"VCID-vfvr-mjgk-4qce","summary":"An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39941","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52521","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52522","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52568","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52594","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52561","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52613","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52607","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52658","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52641","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52625","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52663","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.5267","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52655","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52606","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52616","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52579","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39941"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39941"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vfvr-mjgk-4qce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256801?format=json","vulnerability_id":"VCID-w1jg-8rdt-3ufv","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39932","reference_id":"","reference_type":"","scores":[{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44504","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44711","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44791","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44812","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44752","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44805","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44807","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44824","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44793","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44794","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44848","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44841","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44776","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4469","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44697","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44619","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39932"},{"reference_url":"https://security.archlinux.org/ASA-202112-10","reference_id":"ASA-202112-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202112-10"},{"reference_url":"https://security.archlinux.org/AVG-2603","reference_id":"AVG-2603","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2603"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371831?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.2-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1"}],"aliases":["CVE-2021-39932"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w1jg-8rdt-3ufv"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11124?format=json","vulnerability_id":"VCID-1bxs-yghe-cyck","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nA possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22942","reference_id":"","reference_type":"","scores":[{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67422","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67402","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67425","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67413","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67378","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67412","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67424","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67403","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.6739","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67361","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67339","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67302","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67407","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67433","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c"},{"reference_url":"https://rubygems.org/gems/actionpack","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubygems.org/gems/actionpack"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0005","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0005"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0005/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240202-0005/"},{"reference_url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/12/14/5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/12/14/5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1995940","reference_id":"1995940","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1995940"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586","reference_id":"992586","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586"},{"reference_url":"https://security.archlinux.org/AVG-2492","reference_id":"AVG-2492","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2492"},{"reference_url":"https://security.archlinux.org/AVG-2493","reference_id":"AVG-2493","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2493"},{"reference_url":"https://access.redhat.com/security/cve/cve-2021-22942","reference_id":"CVE-2021-22942","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/security/cve/cve-2021-22942"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22942","reference_id":"CVE-2021-22942","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22942"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml","reference_id":"CVE-2021-22942.YML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml"},{"reference_url":"https://github.com/advisories/GHSA-2rqw-v265-jf8c","reference_id":"GHSA-2rqw-v265-jf8c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2rqw-v265-jf8c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-22942","GHSA-2rqw-v265-jf8c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1bxs-yghe-cyck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256764?format=json","vulnerability_id":"VCID-2uqd-mtms-fqaw","summary":"In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39903","reference_id":"","reference_type":"","scores":[{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48664","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48729","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48768","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48794","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48748","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48803","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.488","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48817","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48791","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48798","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48847","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48843","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48802","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48799","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.4875","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39903"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39903"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2uqd-mtms-fqaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256756?format=json","vulnerability_id":"VCID-54ws-nrwe-wucv","summary":"In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39898","reference_id":"","reference_type":"","scores":[{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53311","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53302","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53325","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53351","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53321","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53373","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53367","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53419","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53403","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53387","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53424","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.5343","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.5341","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53382","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53394","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53357","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39898"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39898"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-54ws-nrwe-wucv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256771?format=json","vulnerability_id":"VCID-6uvg-uqe6-tud1","summary":"A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39907","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4797","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48044","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48082","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48103","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48053","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48106","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48101","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48124","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48099","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48111","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48163","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48158","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48113","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48094","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48105","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4805","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39907"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39907"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6uvg-uqe6-tud1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256753?format=json","vulnerability_id":"VCID-dana-dyhj-4yec","summary":"In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39895","reference_id":"","reference_type":"","scores":[{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51378","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51385","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51436","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51463","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51423","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51476","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51474","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51518","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51497","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51484","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51526","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51535","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51513","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51466","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51473","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51434","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39895"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39895"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dana-dyhj-4yec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256774?format=json","vulnerability_id":"VCID-de8b-d4wk-y3g2","summary":"Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39909","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.14875","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15144","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15184","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15251","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15055","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15143","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15194","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15164","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15126","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15061","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.14961","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.1497","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15021","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.1506","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15062","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15005","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39909"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39909"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-de8b-d4wk-y3g2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256762?format=json","vulnerability_id":"VCID-f663-qdnt-4fhz","summary":"Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39902","reference_id":"","reference_type":"","scores":[{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45083","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45239","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4532","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45342","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45285","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4534","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45362","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4533","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45332","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45383","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45379","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45329","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45246","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45187","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39902"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39902"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f663-qdnt-4fhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256769?format=json","vulnerability_id":"VCID-j6gp-wgz9-17h6","summary":"Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39906","reference_id":"","reference_type":"","scores":[{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78863","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.7872","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78728","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78759","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78741","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78767","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78774","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78797","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.7878","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78771","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.788","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78798","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78793","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78821","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78827","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78844","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39906"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39906"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j6gp-wgz9-17h6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256777?format=json","vulnerability_id":"VCID-r36y-zth9-2bbv","summary":"An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39911","reference_id":"","reference_type":"","scores":[{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44226","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44459","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44528","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.4455","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44488","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44539","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44544","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.4456","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.4453","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44532","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44587","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44579","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44509","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44427","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44431","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.4435","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39911"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39911"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r36y-zth9-2bbv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256779?format=json","vulnerability_id":"VCID-sxfm-yjar-r3gy","summary":"A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39912","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4797","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48044","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48082","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48103","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48053","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48106","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48101","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48124","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48099","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48111","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48163","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48158","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48113","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48094","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48105","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4805","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39912"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39912"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sxfm-yjar-r3gy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256768?format=json","vulnerability_id":"VCID-ubka-br7q-dyax","summary":"An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39905","reference_id":"","reference_type":"","scores":[{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53256","published_at":"2026-05-05T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53244","published_at":"2026-04-01T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53267","published_at":"2026-04-02T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53293","published_at":"2026-04-04T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53262","published_at":"2026-04-07T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53314","published_at":"2026-04-08T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53309","published_at":"2026-04-09T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53359","published_at":"2026-04-11T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53344","published_at":"2026-04-12T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53327","published_at":"2026-04-13T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53365","published_at":"2026-04-16T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.5337","published_at":"2026-04-18T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.5335","published_at":"2026-04-21T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53322","published_at":"2026-04-24T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53335","published_at":"2026-04-26T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53297","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39905"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39905"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ubka-br7q-dyax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256755?format=json","vulnerability_id":"VCID-utt5-yq43-tydb","summary":"Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39897","reference_id":"","reference_type":"","scores":[{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52249","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52257","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.523","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52328","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.5229","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52343","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52338","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52388","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52373","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52359","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52397","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52403","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52387","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52335","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52344","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52306","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39897"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39897"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-utt5-yq43-tydb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256780?format=json","vulnerability_id":"VCID-vqxg-nt2j-skcd","summary":"Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39913","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1858","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18953","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1909","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19141","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18858","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18937","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1899","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18997","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1895","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18899","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18854","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18866","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18877","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18766","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18747","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18703","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39913"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39913"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vqxg-nt2j-skcd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256760?format=json","vulnerability_id":"VCID-w5ry-7u68-vbhz","summary":"In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39901","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52572","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52514","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52559","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52586","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52553","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52605","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52599","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52649","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52632","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52618","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52656","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52663","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52648","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52598","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52609","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39901"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39901"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w5ry-7u68-vbhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256781?format=json","vulnerability_id":"VCID-xm82-tdpb-buf6","summary":"A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39914","reference_id":"","reference_type":"","scores":[{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38633","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38982","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39169","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.3919","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.3911","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39164","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39181","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39192","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39156","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39137","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39191","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39161","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39072","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38863","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.3884","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38757","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39914"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39914"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xm82-tdpb-buf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256766?format=json","vulnerability_id":"VCID-zy36-rb3k-y7eg","summary":"An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39904","reference_id":"","reference_type":"","scores":[{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30652","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31194","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31321","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31363","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31182","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31235","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31266","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.3127","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31226","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31215","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31197","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31166","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31007","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30885","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30801","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39904"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39904"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zy36-rb3k-y7eg"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}