Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/371831?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "type": "alpm", "namespace": "archlinux", "name": "gitlab", "version": "14.5.2-1", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "14.10.2-1", "latest_non_vulnerable_version": "15.2.1-1", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256810?format=api", "vulnerability_id": "VCID-1f4t-7du8-q3ex", "summary": "A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39938", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33299", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33591", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33923", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33954", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33808", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.3385", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33882", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33881", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33839", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33814", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33853", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33807", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33441", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33423", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33341", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33233", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39938" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39938" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1f4t-7du8-q3ex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256803?format=api", "vulnerability_id": "VCID-5t99-3qbr-sfdj", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39933", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40407", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.4068", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40764", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40791", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40715", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40765", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40772", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40757", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40738", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40783", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40753", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40675", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.4058", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40567", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40484", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40339", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39933" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39933" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5t99-3qbr-sfdj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256812?format=api", "vulnerability_id": "VCID-6ns1-mx95-5ffe", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39940", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40407", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.4068", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40764", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40791", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40715", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40765", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40772", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40757", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40738", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40783", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40753", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40675", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.4058", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40567", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40484", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40339", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39940" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39940" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6ns1-mx95-5ffe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256804?format=api", "vulnerability_id": "VCID-71j9-ra1c-6uhm", "summary": "Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39934", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48035", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48044", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48081", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48102", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48052", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48105", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.481", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48123", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48099", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.4811", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48163", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48158", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48112", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48093", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48049", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.47969", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39934" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39934" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-71j9-ra1c-6uhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256809?format=api", "vulnerability_id": "VCID-989x-8yn6-eqc8", "summary": "A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39937", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35223", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35511", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35713", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35738", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35619", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35665", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35688", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35698", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35653", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35631", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.3567", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35661", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35609", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35371", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35351", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.3527", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35152", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39937" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39937" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-989x-8yn6-eqc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256807?format=api", "vulnerability_id": "VCID-99uy-2jrp-u7cx", "summary": "Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39936", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56812", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56802", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56896", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56918", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56894", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56946", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56949", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56957", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56937", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56914", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56943", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.5694", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56917", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56857", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56874", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.56858", "published_at": "2026-05-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39936" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39936" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-99uy-2jrp-u7cx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256818?format=api", "vulnerability_id": "VCID-9mm8-knzf-a3gb", "summary": "Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39945", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47612", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47628", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47666", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47687", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47636", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47691", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47711", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47688", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47697", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47753", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47746", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47698", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47679", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47633", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00244", "scoring_system": "epss", "scoring_elements": "0.47547", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39945" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39945" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9mm8-knzf-a3gb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256782?format=api", "vulnerability_id": "VCID-9wuq-32s1-nydy", "summary": "Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39915", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50331", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50338", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50393", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50423", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50375", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50429", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50422", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50463", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.5044", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50425", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50468", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50472", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50449", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50394", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50404", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50355", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00269", "scoring_system": "epss", "scoring_elements": "0.50277", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39915" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39915" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9wuq-32s1-nydy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256789?format=api", "vulnerability_id": "VCID-buuk-gsy3-w7bp", "summary": "In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39919", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20613", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20853", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21004", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.2106", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20774", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20915", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20931", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20887", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20836", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20826", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20818", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.208", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20681", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20677", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20645", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20541", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39919" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39919" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-buuk-gsy3-w7bp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256776?format=api", "vulnerability_id": "VCID-gvwq-zqmf-ruak", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39910", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39188", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.3947", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.3962", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39642", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39559", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39613", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39628", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39638", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39601", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39585", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39636", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39606", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39523", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39343", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39328", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39246", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39121", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39910" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39910" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gvwq-zqmf-ruak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256786?format=api", "vulnerability_id": "VCID-h8td-pdxx-y7en", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a DOS attack.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39917", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59816", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59687", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.5976", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59784", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59753", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59805", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59818", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59838", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59822", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59804", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59841", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59848", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59832", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59803", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59821", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59806", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.59769", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39917" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39917" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h8td-pdxx-y7en" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256800?format=api", "vulnerability_id": "VCID-m6c7-dfbf-r7gr", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39931", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48532", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48538", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48574", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48597", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48549", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48603", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48599", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.4862", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48593", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48606", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48656", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48651", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48608", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48604", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48554", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.4847", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39931" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39931" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m6c7-dfbf-r7gr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256806?format=api", "vulnerability_id": "VCID-t8nq-hx26-kfc7", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39935", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97378", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97384", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97389", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97391", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97397", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97398", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.974", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97401", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97402", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.9741", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.41434", "scoring_system": "epss", "scoring_elements": "0.97413", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.54604", "scoring_system": "epss", "scoring_elements": "0.98049", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.54604", "scoring_system": "epss", "scoring_elements": "0.98041", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.58412", "scoring_system": "epss", "scoring_elements": "0.98208", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.58412", "scoring_system": "epss", "scoring_elements": "0.98209", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.58412", "scoring_system": "epss", "scoring_elements": "0.98215", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.58412", "scoring_system": "epss", "scoring_elements": "0.98206", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39935" }, { "reference_url": "https://hackerone.com/reports/1236965", "reference_id": "1236965", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:23:46Z/" } ], "url": "https://hackerone.com/reports/1236965" }, { "reference_url": "https://gitlab.com/gitlab-org/gitlab/-/issues/346187", "reference_id": "346187", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:23:46Z/" } ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/346187" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" }, { "reference_url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json", "reference_id": "CVE-2021-39935.json", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:23:46Z/" } ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39935" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t8nq-hx26-kfc7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256817?format=api", "vulnerability_id": "VCID-uzq6-eukx-8yhv", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.38679", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.38955", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39141", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39163", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39082", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39137", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39153", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39165", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39128", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39109", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39164", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39133", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.39045", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.38836", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.38813", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.38729", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00176", "scoring_system": "epss", "scoring_elements": "0.38606", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39944" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39944" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uzq6-eukx-8yhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256813?format=api", "vulnerability_id": "VCID-vfvr-mjgk-4qce", "summary": "An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39941", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52574", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52522", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52568", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52594", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52561", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52613", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52607", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52658", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52641", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52625", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52663", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.5267", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52655", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52606", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52616", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52579", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52521", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39941" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39941" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vfvr-mjgk-4qce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256801?format=api", "vulnerability_id": "VCID-w1jg-8rdt-3ufv", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39932", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44574", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44711", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44791", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44812", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44752", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44805", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44807", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44824", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44793", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44794", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44848", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44841", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44776", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.4469", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44697", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44619", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44504", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39932" }, { "reference_url": "https://security.archlinux.org/ASA-202112-10", "reference_id": "ASA-202112-10", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202112-10" }, { "reference_url": "https://security.archlinux.org/AVG-2603", "reference_id": "AVG-2603", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2603" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371831?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.5.2-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" } ], "aliases": [ "CVE-2021-39932" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w1jg-8rdt-3ufv" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.2-1" }