{"url":"http://public2.vulnerablecode.io/api/packages/371835?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.3-2","type":"alpm","namespace":"archlinux","name":"gitlab","version":"14.3.3-2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"14.5.2-1","latest_non_vulnerable_version":"15.2.1-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11124?format=json","vulnerability_id":"VCID-1bxs-yghe-cyck","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nA possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22942","reference_id":"","reference_type":"","scores":[{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67422","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67402","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67425","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67413","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67378","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67412","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67424","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67403","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.6739","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67361","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67339","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67302","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67407","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67433","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c"},{"reference_url":"https://rubygems.org/gems/actionpack","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubygems.org/gems/actionpack"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0005","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0005"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0005/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240202-0005/"},{"reference_url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/12/14/5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/12/14/5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1995940","reference_id":"1995940","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1995940"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586","reference_id":"992586","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586"},{"reference_url":"https://security.archlinux.org/AVG-2492","reference_id":"AVG-2492","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2492"},{"reference_url":"https://security.archlinux.org/AVG-2493","reference_id":"AVG-2493","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2493"},{"reference_url":"https://access.redhat.com/security/cve/cve-2021-22942","reference_id":"CVE-2021-22942","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/security/cve/cve-2021-22942"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22942","reference_id":"CVE-2021-22942","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22942"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml","reference_id":"CVE-2021-22942.YML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml"},{"reference_url":"https://github.com/advisories/GHSA-2rqw-v265-jf8c","reference_id":"GHSA-2rqw-v265-jf8c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2rqw-v265-jf8c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-22942","GHSA-2rqw-v265-jf8c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1bxs-yghe-cyck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256764?format=json","vulnerability_id":"VCID-2uqd-mtms-fqaw","summary":"In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39903","reference_id":"","reference_type":"","scores":[{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48664","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48729","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48768","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48794","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48748","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48803","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.488","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48817","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48791","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48798","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48847","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48843","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48802","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48799","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.4875","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39903"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39903"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2uqd-mtms-fqaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256756?format=json","vulnerability_id":"VCID-54ws-nrwe-wucv","summary":"In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39898","reference_id":"","reference_type":"","scores":[{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53311","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53302","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53325","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53351","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53321","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53373","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53367","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53419","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53403","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53387","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53424","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.5343","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.5341","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53382","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53394","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53357","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39898"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39898"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-54ws-nrwe-wucv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256771?format=json","vulnerability_id":"VCID-6uvg-uqe6-tud1","summary":"A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39907","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4797","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48044","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48082","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48103","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48053","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48106","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48101","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48124","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48099","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48111","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48163","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48158","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48113","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48094","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48105","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4805","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39907"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39907"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6uvg-uqe6-tud1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256753?format=json","vulnerability_id":"VCID-dana-dyhj-4yec","summary":"In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39895","reference_id":"","reference_type":"","scores":[{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51378","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51385","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51436","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51463","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51423","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51476","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51474","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51518","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51497","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51484","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51526","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51535","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51513","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51466","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51473","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00281","scoring_system":"epss","scoring_elements":"0.51434","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39895"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39895"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dana-dyhj-4yec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256774?format=json","vulnerability_id":"VCID-de8b-d4wk-y3g2","summary":"Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39909","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.14875","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15144","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15184","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15251","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15055","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15143","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15194","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15164","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15126","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15061","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.14961","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.1497","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15021","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.1506","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15062","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15005","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39909"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39909"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-de8b-d4wk-y3g2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256762?format=json","vulnerability_id":"VCID-f663-qdnt-4fhz","summary":"Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39902","reference_id":"","reference_type":"","scores":[{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45083","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45239","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4532","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45342","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45285","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4534","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45362","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.4533","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45332","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45383","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45379","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45329","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45246","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00226","scoring_system":"epss","scoring_elements":"0.45187","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39902"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39902"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f663-qdnt-4fhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256769?format=json","vulnerability_id":"VCID-j6gp-wgz9-17h6","summary":"Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39906","reference_id":"","reference_type":"","scores":[{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78863","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.7872","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78728","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78759","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78741","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78767","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78774","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78797","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.7878","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78771","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.788","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78798","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78793","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78821","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78827","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01183","scoring_system":"epss","scoring_elements":"0.78844","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39906"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39906"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j6gp-wgz9-17h6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256777?format=json","vulnerability_id":"VCID-r36y-zth9-2bbv","summary":"An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39911","reference_id":"","reference_type":"","scores":[{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44226","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44459","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44528","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.4455","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44488","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44539","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44544","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.4456","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.4453","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44532","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44587","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44579","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44509","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44427","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44431","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.4435","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39911"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39911"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r36y-zth9-2bbv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256779?format=json","vulnerability_id":"VCID-sxfm-yjar-r3gy","summary":"A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39912","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4797","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48044","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48082","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48103","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48053","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48106","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48101","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48124","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48099","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48111","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48163","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48158","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48113","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48094","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48105","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4805","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39912"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39912"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sxfm-yjar-r3gy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256768?format=json","vulnerability_id":"VCID-ubka-br7q-dyax","summary":"An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39905","reference_id":"","reference_type":"","scores":[{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53256","published_at":"2026-05-05T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53244","published_at":"2026-04-01T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53267","published_at":"2026-04-02T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53293","published_at":"2026-04-04T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53262","published_at":"2026-04-07T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53314","published_at":"2026-04-08T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53309","published_at":"2026-04-09T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53359","published_at":"2026-04-11T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53344","published_at":"2026-04-12T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53327","published_at":"2026-04-13T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53365","published_at":"2026-04-16T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.5337","published_at":"2026-04-18T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.5335","published_at":"2026-04-21T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53322","published_at":"2026-04-24T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53335","published_at":"2026-04-26T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53297","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39905"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39905"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ubka-br7q-dyax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256755?format=json","vulnerability_id":"VCID-utt5-yq43-tydb","summary":"Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39897","reference_id":"","reference_type":"","scores":[{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52249","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52257","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.523","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52328","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.5229","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52343","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52338","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52388","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52373","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52359","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52397","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52403","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52387","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52335","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52344","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52306","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39897"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39897"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-utt5-yq43-tydb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256780?format=json","vulnerability_id":"VCID-vqxg-nt2j-skcd","summary":"Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39913","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1858","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18953","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1909","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19141","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18858","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18937","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1899","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18997","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1895","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18899","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18854","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18866","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18877","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18766","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18747","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18703","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39913"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39913"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vqxg-nt2j-skcd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256760?format=json","vulnerability_id":"VCID-w5ry-7u68-vbhz","summary":"In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39901","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52572","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52514","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52559","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52586","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52553","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52605","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52599","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52649","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52632","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52618","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52656","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52663","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52648","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52598","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52609","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39901"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39901"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w5ry-7u68-vbhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256781?format=json","vulnerability_id":"VCID-xm82-tdpb-buf6","summary":"A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39914","reference_id":"","reference_type":"","scores":[{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38633","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38982","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39169","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.3919","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.3911","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39164","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39181","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39192","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39156","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39137","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39191","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39161","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39072","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38863","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.3884","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38757","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39914"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39914"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xm82-tdpb-buf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256766?format=json","vulnerability_id":"VCID-zy36-rb3k-y7eg","summary":"An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39904","reference_id":"","reference_type":"","scores":[{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30652","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31194","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31321","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31363","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31182","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31235","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31266","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.3127","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31226","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31215","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31197","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31166","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.31007","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30885","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30801","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39904"},{"reference_url":"https://security.archlinux.org/AVG-2503","reference_id":"AVG-2503","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2503"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371830?format=json","purl":"pkg:alpm/archlinux/gitlab@14.5.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17gb-vdxv-fqc4"},{"vulnerability":"VCID-1f4t-7du8-q3ex"},{"vulnerability":"VCID-5t99-3qbr-sfdj"},{"vulnerability":"VCID-6ns1-mx95-5ffe"},{"vulnerability":"VCID-71j9-ra1c-6uhm"},{"vulnerability":"VCID-989x-8yn6-eqc8"},{"vulnerability":"VCID-99uy-2jrp-u7cx"},{"vulnerability":"VCID-9mm8-knzf-a3gb"},{"vulnerability":"VCID-9wuq-32s1-nydy"},{"vulnerability":"VCID-buuk-gsy3-w7bp"},{"vulnerability":"VCID-gvwq-zqmf-ruak"},{"vulnerability":"VCID-h8td-pdxx-y7en"},{"vulnerability":"VCID-j8nr-cgq2-ubf9"},{"vulnerability":"VCID-m6c7-dfbf-r7gr"},{"vulnerability":"VCID-n2jn-c1k6-67b9"},{"vulnerability":"VCID-t8nq-hx26-kfc7"},{"vulnerability":"VCID-uzq6-eukx-8yhv"},{"vulnerability":"VCID-vfvr-mjgk-4qce"},{"vulnerability":"VCID-w1jg-8rdt-3ufv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.5.0-1"}],"aliases":["CVE-2021-39904"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zy36-rb3k-y7eg"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.3-2"}