Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/371896?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/371896?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.0-1", "type": "alpm", "namespace": "archlinux", "name": "gitlab", "version": "14.3.0-1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "14.3.1-1", "latest_non_vulnerable_version": "15.2.1-1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256709?format=api", "vulnerability_id": "VCID-1tp6-v3h3-sfc1", "summary": "A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39866", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49435", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49439", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49467", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49494", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49447", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49502", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49497", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49514", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49486", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49488", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49535", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49533", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49504", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49458", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49376", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39866" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39866" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1tp6-v3h3-sfc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256757?format=api", "vulnerability_id": "VCID-1z31-8t4f-hbes", "summary": "In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39899", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.21818", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22017", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22175", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22223", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22006", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22087", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22142", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.2216", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22119", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22059", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22058", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22051", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.22004", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.21863", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.21851", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.21837", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00073", "scoring_system": "epss", "scoring_elements": "0.21745", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39899" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39899" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1z31-8t4f-hbes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256743?format=api", "vulnerability_id": "VCID-2c2h-bx69-sycp", "summary": "In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47706", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47719", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47757", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47777", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47726", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.4778", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47776", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47801", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47787", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47842", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47834", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.4777", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47727", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.47643", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39889" }, { "reference_url": "https://security.archlinux.org/AVG-2432", "reference_id": "AVG-2432", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2432" } ], "fixed_packages": [], "aliases": [ "CVE-2021-39889" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2c2h-bx69-sycp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256741?format=api", "vulnerability_id": "VCID-2mrs-2r3z-9qew", "summary": "In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48811", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48813", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.4885", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48876", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.4883", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48884", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48881", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48897", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48872", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.4888", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48928", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48924", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48885", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48873", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48882", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48833", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.4875", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39888" }, { "reference_url": "https://security.archlinux.org/AVG-2432", "reference_id": "AVG-2432", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2432" } ], "fixed_packages": [], "aliases": [ "CVE-2021-39888" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2mrs-2r3z-9qew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256749?format=api", "vulnerability_id": "VCID-2smt-c8fa-5qhf", "summary": "A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39893", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60364", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60218", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60294", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60319", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60287", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60337", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60353", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60374", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.6036", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60342", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60383", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60391", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.6038", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60357", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60371", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60359", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00395", "scoring_system": "epss", "scoring_elements": "0.60317", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39893" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39893" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2smt-c8fa-5qhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/240576?format=api", "vulnerability_id": "VCID-48bc-4shc-9yax", "summary": "A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22259", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51497", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51506", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51558", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51585", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51546", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.516", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51597", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51646", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51625", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51609", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.5165", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51657", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51636", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51588", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51593", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51553", "published_at": "2026-04-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22259" }, { "reference_url": "https://security.archlinux.org/AVG-2432", "reference_id": "AVG-2432", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2432" } ], "fixed_packages": [], "aliases": [ "CVE-2021-22259" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-48bc-4shc-9yax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256754?format=api", "vulnerability_id": "VCID-4pa9-gyq6-u7ht", "summary": "In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39896", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41324", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.4155", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41638", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41666", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41593", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41643", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41652", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41675", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41628", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41676", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41649", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41574", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41467", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41464", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41386", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41254", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39896" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39896" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4pa9-gyq6-u7ht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256746?format=api", "vulnerability_id": "VCID-55t2-2xm4-eqdt", "summary": "In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39891", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29534", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.30008", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.30047", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.30093", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29906", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29968", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.30003", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29962", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29913", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29931", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.2991", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29864", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29786", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29673", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29613", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29471", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39891" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39891" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-55t2-2xm4-eqdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256727?format=api", "vulnerability_id": "VCID-63cc-p6xr-qqcc", "summary": "A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39878", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.39813", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40091", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40241", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40266", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40188", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40251", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40263", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40225", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40205", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40253", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40223", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40146", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.39972", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.39957", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.39877", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.39748", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39878" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39878" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-63cc-p6xr-qqcc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256714?format=api", "vulnerability_id": "VCID-6y4r-d3eu-hqcp", "summary": "In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39869", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.47983", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.47985", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48023", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48044", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.47994", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48047", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.4804", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48065", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48041", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48053", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48105", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.481", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48056", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48037", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.48049", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.47997", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00248", "scoring_system": "epss", "scoring_elements": "0.47916", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39869" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39869" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6y4r-d3eu-hqcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256731?format=api", "vulnerability_id": "VCID-7m1c-tbzh-fueb", "summary": "In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39881", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48504", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48511", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48546", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48569", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48521", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48575", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48571", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48593", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48566", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48578", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48629", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48624", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48582", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48526", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00252", "scoring_system": "epss", "scoring_elements": "0.48442", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39881" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39881" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7m1c-tbzh-fueb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256711?format=api", "vulnerability_id": "VCID-81kf-hxfb-n3fb", "summary": "In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39867", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34358", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.3464", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34856", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34883", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.3476", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34804", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34833", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34839", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.348", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34776", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34811", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34795", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34755", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34517", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34497", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34411", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34287", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39867" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39867" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-81kf-hxfb-n3fb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256716?format=api", "vulnerability_id": "VCID-9f4x-xbya-sqgu", "summary": "In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39870", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.30918", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31384", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31521", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31563", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31381", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31434", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31465", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31468", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31425", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31389", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31422", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31402", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31373", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31204", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.3108", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31002", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.3085", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39870" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39870" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9f4x-xbya-sqgu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256739?format=api", "vulnerability_id": "VCID-9tyu-gmse-f3cj", "summary": "A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42038", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42251", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42326", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42354", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42296", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42344", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42351", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42374", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42337", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42309", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42359", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42335", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42262", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42194", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.4219", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42107", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.41964", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39887" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39887" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9tyu-gmse-f3cj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256723?format=api", "vulnerability_id": "VCID-b4ff-s1xj-27fx", "summary": "In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53214", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53153", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53177", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53202", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53169", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53222", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53216", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53267", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53253", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53236", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53273", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53279", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.5326", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53231", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53243", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53205", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00299", "scoring_system": "epss", "scoring_elements": "0.53163", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39875" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39875" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b4ff-s1xj-27fx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256725?format=api", "vulnerability_id": "VCID-ccmp-4xq2-ayau", "summary": "A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39877", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.38956", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39237", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39405", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39428", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39343", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39398", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39415", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39426", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39387", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39369", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39421", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39392", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39306", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39109", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39091", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.39011", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00178", "scoring_system": "epss", "scoring_elements": "0.38884", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39877" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39877" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ccmp-4xq2-ayau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256751?format=api", "vulnerability_id": "VCID-ckry-v723-n7en", "summary": "In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39894", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37075", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37411", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37577", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37601", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37478", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37529", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37542", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37556", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37521", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37495", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37523", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37459", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37239", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37218", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37126", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37007", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39894" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39894" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ckry-v723-n7en" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256721?format=api", "vulnerability_id": "VCID-dfrd-2pjx-4ba4", "summary": "In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39873", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50905", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.5089", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50944", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50969", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50927", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50984", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50981", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.51024", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.51003", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50987", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.51031", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.51009", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50957", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50965", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50926", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50853", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39873" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39873" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dfrd-2pjx-4ba4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256759?format=api", "vulnerability_id": "VCID-e49b-ph77-4kcp", "summary": "Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39900", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43141", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43296", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43353", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.4338", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43318", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.4337", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43385", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43405", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43373", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43358", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43417", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43406", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.4334", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43273", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43275", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43197", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00209", "scoring_system": "epss", "scoring_elements": "0.43064", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39900" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39900" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e49b-ph77-4kcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256732?format=api", "vulnerability_id": "VCID-n5mw-p57c-2ba3", "summary": "In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39882", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27541", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28052", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28124", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28167", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27963", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28031", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28073", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.2808", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28037", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.2798", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27988", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27971", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27922", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27838", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27726", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27652", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27481", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39882" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39882" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n5mw-p57c-2ba3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256719?format=api", "vulnerability_id": "VCID-ncrc-1zac-tucd", "summary": "In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39872", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.43833", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44048", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44072", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44003", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44054", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44056", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44071", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44038", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44022", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44084", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44075", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44009", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.43961", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.43964", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.43879", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.43758", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39872" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39872" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ncrc-1zac-tucd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256737?format=api", "vulnerability_id": "VCID-q8sm-1nrb-wfej", "summary": "A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39885", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44013", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44179", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44244", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44267", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.442", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44251", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44256", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44274", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44242", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44301", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44292", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44219", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44141", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44145", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.4406", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.43936", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39885" }, { "reference_url": "https://security.archlinux.org/AVG-2432", "reference_id": "AVG-2432", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2432" } ], "fixed_packages": [], "aliases": [ "CVE-2021-39885" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q8sm-1nrb-wfej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256738?format=api", "vulnerability_id": "VCID-su9x-jz8t-h7bt", "summary": "Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39886", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.32889", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.3318", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33308", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.3334", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33173", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33216", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.3325", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33254", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33213", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33189", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.3323", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33207", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33171", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33024", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33007", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.32932", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.3282", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39886" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39886" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-su9x-jz8t-h7bt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256734?format=api", "vulnerability_id": "VCID-teya-apph-1bhn", "summary": "Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all parent subgroups.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39883", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.41845", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42062", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42123", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42151", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42088", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42139", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.4215", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42172", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42135", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42111", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42162", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42136", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42066", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42008", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42003", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.4192", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.41777", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39883" }, { "reference_url": "https://security.archlinux.org/AVG-2432", "reference_id": "AVG-2432", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2432" } ], "fixed_packages": [], "aliases": [ "CVE-2021-39883" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-teya-apph-1bhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256717?format=api", "vulnerability_id": "VCID-ujgs-nnuc-mqe2", "summary": "In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39871", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.30918", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31384", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31521", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31563", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31381", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31434", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31465", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31468", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31425", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31389", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31422", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31402", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31373", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31204", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.3108", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31002", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.3085", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39871" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39871" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ujgs-nnuc-mqe2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256722?format=api", "vulnerability_id": "VCID-wg33-ddc8-t3h4", "summary": "In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39874", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48532", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48538", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48574", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48597", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48549", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48603", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48599", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.4862", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48593", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48606", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48656", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48651", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48608", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48604", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48554", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.4847", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39874" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39874" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wg33-ddc8-t3h4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256728?format=api", "vulnerability_id": "VCID-wnjn-b16y-mfdg", "summary": "Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39879", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.3112", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.316", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31733", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31777", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31596", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31648", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31678", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31683", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31642", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31606", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.3164", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31618", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31586", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31408", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31283", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31203", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31051", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39879" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39879" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wnjn-b16y-mfdg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256748?format=api", "vulnerability_id": "VCID-y355-57xu-4bet", "summary": "In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.52982", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.5294", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.52965", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.5299", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.52958", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53009", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53002", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53052", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53036", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53019", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53056", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53063", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53045", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53012", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.53021", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.52981", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00297", "scoring_system": "epss", "scoring_elements": "0.52931", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39892" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39892" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y355-57xu-4bet" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256712?format=api", "vulnerability_id": "VCID-y8p4-aqpq-ykbk", "summary": "In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39868", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52572", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52519", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52565", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52591", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52558", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52609", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52604", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52654", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52637", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52623", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52661", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52668", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52652", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52603", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52614", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52577", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00293", "scoring_system": "epss", "scoring_elements": "0.52518", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39868" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39868" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y8p4-aqpq-ykbk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256744?format=api", "vulnerability_id": "VCID-z4ez-3sgx-ybb8", "summary": "It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39890", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18504", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18788", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18926", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18979", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18702", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18782", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18836", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18841", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18795", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18743", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18692", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18704", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18723", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.1861", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18588", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18547", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18419", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39890" }, { "reference_url": "https://security.archlinux.org/AVG-2431", "reference_id": "AVG-2431", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2431" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371897?format=api", "purl": "pkg:alpm/archlinux/gitlab@14.3.1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1" } ], "aliases": [ "CVE-2021-39890" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z4ez-3sgx-ybb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256735?format=api", "vulnerability_id": "VCID-zbdr-btjr-vkhh", "summary": "In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39884", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50797", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50782", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50838", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50864", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50821", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50878", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50876", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50918", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50896", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5088", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50924", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50904", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50853", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50861", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.5082", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50744", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39884" }, { "reference_url": "https://security.archlinux.org/AVG-2432", "reference_id": "AVG-2432", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2432" } ], "fixed_packages": [], "aliases": [ "CVE-2021-39884" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zbdr-btjr-vkhh" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.0-1" }