{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","type":"alpm","namespace":"archlinux","name":"gitlab","version":"14.3.1-1","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"14.5.2-1","latest_non_vulnerable_version":"15.2.1-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256709?format=json","vulnerability_id":"VCID-1tp6-v3h3-sfc1","summary":"A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39866","reference_id":"","reference_type":"","scores":[{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49435","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49439","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49467","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49494","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49447","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49502","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49497","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49514","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49486","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49488","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49535","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49533","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49504","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49458","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49376","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39866"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39866"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1tp6-v3h3-sfc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256757?format=json","vulnerability_id":"VCID-1z31-8t4f-hbes","summary":"In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39899","reference_id":"","reference_type":"","scores":[{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.21818","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22017","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22175","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22223","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22006","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22087","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22142","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.2216","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22119","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22059","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22058","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22051","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22004","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.21863","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.21851","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.21837","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.21745","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39899"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39899"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1z31-8t4f-hbes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256749?format=json","vulnerability_id":"VCID-2smt-c8fa-5qhf","summary":"A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39893","reference_id":"","reference_type":"","scores":[{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60364","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60218","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60294","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60319","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60287","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60337","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60353","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60374","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.6036","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60342","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60383","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60391","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.6038","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60357","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60371","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60359","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00395","scoring_system":"epss","scoring_elements":"0.60317","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39893"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39893"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2smt-c8fa-5qhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256754?format=json","vulnerability_id":"VCID-4pa9-gyq6-u7ht","summary":"In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39896","reference_id":"","reference_type":"","scores":[{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41324","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.4155","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41638","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41666","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41593","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41643","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41652","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41675","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41628","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41676","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41649","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41574","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41467","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41464","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41386","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41254","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39896"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39896"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4pa9-gyq6-u7ht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256746?format=json","vulnerability_id":"VCID-55t2-2xm4-eqdt","summary":"In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39891","reference_id":"","reference_type":"","scores":[{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29534","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.30008","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.30047","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.30093","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29906","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29968","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.30003","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29962","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29913","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29931","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.2991","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29864","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29786","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29673","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29613","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29471","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39891"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39891"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-55t2-2xm4-eqdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256727?format=json","vulnerability_id":"VCID-63cc-p6xr-qqcc","summary":"A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39878","reference_id":"","reference_type":"","scores":[{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39813","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40091","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40241","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40266","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40188","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40251","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40263","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40225","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40205","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40253","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40223","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40146","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39972","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39957","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39877","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39748","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39878"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39878"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63cc-p6xr-qqcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256714?format=json","vulnerability_id":"VCID-6y4r-d3eu-hqcp","summary":"In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39869","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47983","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47985","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48023","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48044","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47994","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48047","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4804","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48065","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48041","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48053","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48105","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.481","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48056","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48037","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48049","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47997","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.47916","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39869"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39869"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6y4r-d3eu-hqcp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256731?format=json","vulnerability_id":"VCID-7m1c-tbzh-fueb","summary":"In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39881","reference_id":"","reference_type":"","scores":[{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48504","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48511","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48546","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48569","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48521","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48575","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48571","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48593","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48566","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48578","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48629","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48624","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48582","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48526","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48442","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39881"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39881"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7m1c-tbzh-fueb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256711?format=json","vulnerability_id":"VCID-81kf-hxfb-n3fb","summary":"In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39867","reference_id":"","reference_type":"","scores":[{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34358","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.3464","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34856","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34883","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.3476","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34804","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34833","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34839","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.348","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34776","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34811","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34795","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34755","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34517","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34497","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34411","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00145","scoring_system":"epss","scoring_elements":"0.34287","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39867"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39867"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-81kf-hxfb-n3fb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256716?format=json","vulnerability_id":"VCID-9f4x-xbya-sqgu","summary":"In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39870","reference_id":"","reference_type":"","scores":[{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.30918","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31384","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31521","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31563","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31381","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31434","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31465","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31468","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31425","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31389","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31422","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31402","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31373","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31204","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.3108","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31002","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.3085","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39870"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39870"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9f4x-xbya-sqgu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256739?format=json","vulnerability_id":"VCID-9tyu-gmse-f3cj","summary":"A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39887","reference_id":"","reference_type":"","scores":[{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42038","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42251","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42326","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42354","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42296","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42344","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42351","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42374","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42337","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42309","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42359","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42335","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42262","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42194","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.4219","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42107","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.41964","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39887"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39887"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9tyu-gmse-f3cj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256723?format=json","vulnerability_id":"VCID-b4ff-s1xj-27fx","summary":"In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39875","reference_id":"","reference_type":"","scores":[{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53214","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53153","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53177","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53202","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53169","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53222","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53216","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53267","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53253","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53236","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53273","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53279","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5326","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53231","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53243","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53205","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53163","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39875"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39875"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b4ff-s1xj-27fx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256725?format=json","vulnerability_id":"VCID-ccmp-4xq2-ayau","summary":"A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39877","reference_id":"","reference_type":"","scores":[{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.38956","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39237","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39405","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39428","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39343","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39398","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39415","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39426","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39387","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39369","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39421","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39392","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39306","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39109","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39091","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.39011","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00178","scoring_system":"epss","scoring_elements":"0.38884","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39877"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39877"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ccmp-4xq2-ayau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256751?format=json","vulnerability_id":"VCID-ckry-v723-n7en","summary":"In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39894","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37075","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37411","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37577","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37601","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37478","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37529","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37542","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37556","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37521","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37495","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37523","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37459","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37239","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37218","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37126","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37007","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39894"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39894"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ckry-v723-n7en"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256721?format=json","vulnerability_id":"VCID-dfrd-2pjx-4ba4","summary":"In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39873","reference_id":"","reference_type":"","scores":[{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50905","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.5089","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50944","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50969","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50927","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50984","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50981","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.51024","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.51003","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50987","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.51031","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.51009","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50957","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50965","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50926","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50853","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39873"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39873"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dfrd-2pjx-4ba4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256759?format=json","vulnerability_id":"VCID-e49b-ph77-4kcp","summary":"Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39900","reference_id":"","reference_type":"","scores":[{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43141","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43296","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43353","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.4338","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43318","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.4337","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43385","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43405","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43373","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43358","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43417","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43406","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.4334","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43273","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43275","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43197","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00209","scoring_system":"epss","scoring_elements":"0.43064","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39900"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39900"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e49b-ph77-4kcp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256732?format=json","vulnerability_id":"VCID-n5mw-p57c-2ba3","summary":"In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39882","reference_id":"","reference_type":"","scores":[{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27541","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.28052","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.28124","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.28167","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27963","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.28031","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.28073","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.2808","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.28037","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.2798","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27988","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27971","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27922","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27838","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27726","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27652","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27481","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39882"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39882"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n5mw-p57c-2ba3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256719?format=json","vulnerability_id":"VCID-ncrc-1zac-tucd","summary":"In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39872","reference_id":"","reference_type":"","scores":[{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.43833","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44048","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44072","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44003","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44054","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44056","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44071","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44038","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44022","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44084","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44075","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44009","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.43961","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.43964","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.43879","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.43758","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39872"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39872"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ncrc-1zac-tucd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256738?format=json","vulnerability_id":"VCID-su9x-jz8t-h7bt","summary":"Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39886","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32889","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3318","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33308","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3334","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33173","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33216","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3325","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33254","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33213","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33189","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3323","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33207","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33171","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33024","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33007","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32932","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3282","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39886"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39886"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-su9x-jz8t-h7bt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256717?format=json","vulnerability_id":"VCID-ujgs-nnuc-mqe2","summary":"In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39871","reference_id":"","reference_type":"","scores":[{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.30918","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31384","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31521","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31563","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31381","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31434","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31465","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31468","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31425","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31389","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31422","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31402","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31373","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31204","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.3108","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31002","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.3085","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39871"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39871"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ujgs-nnuc-mqe2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256722?format=json","vulnerability_id":"VCID-wg33-ddc8-t3h4","summary":"In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39874","reference_id":"","reference_type":"","scores":[{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48532","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48538","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48574","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48597","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48549","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48603","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48599","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.4862","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48593","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48606","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48656","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48651","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48608","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48604","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48554","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.4847","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39874"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39874"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wg33-ddc8-t3h4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256728?format=json","vulnerability_id":"VCID-wnjn-b16y-mfdg","summary":"Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39879","reference_id":"","reference_type":"","scores":[{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.3112","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.316","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31733","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31777","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31596","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31648","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31678","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31683","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31642","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31606","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.3164","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31618","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31586","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31408","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31283","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31203","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31051","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39879"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39879"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wnjn-b16y-mfdg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256748?format=json","vulnerability_id":"VCID-y355-57xu-4bet","summary":"In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39892","reference_id":"","reference_type":"","scores":[{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.52982","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.5294","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.52965","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.5299","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.52958","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53009","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53002","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53052","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53036","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53019","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53056","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53063","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53045","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53012","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53021","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.52981","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.52931","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39892"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39892"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y355-57xu-4bet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256712?format=json","vulnerability_id":"VCID-y8p4-aqpq-ykbk","summary":"In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39868","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52572","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52519","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52565","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52591","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52558","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52609","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52604","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52654","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52637","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52623","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52661","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52668","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52652","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52603","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52614","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52577","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52518","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39868"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39868"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y8p4-aqpq-ykbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/256744?format=json","vulnerability_id":"VCID-z4ez-3sgx-ybb8","summary":"It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39890","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18504","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18788","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18926","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18979","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18702","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18782","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18836","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18841","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18795","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18743","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18692","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18704","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18723","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1861","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18588","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18547","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18419","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39890"},{"reference_url":"https://security.archlinux.org/AVG-2431","reference_id":"AVG-2431","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2431"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371897?format=json","purl":"pkg:alpm/archlinux/gitlab@14.3.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}],"aliases":["CVE-2021-39890"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z4ez-3sgx-ybb8"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.3.1-1"}