{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","type":"alpm","namespace":"archlinux","name":"gitlab","version":"14.0.3-1","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"14.1.2-1","latest_non_vulnerable_version":"15.2.1-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240524?format=json","vulnerability_id":"VCID-55tn-dhah-8fak","summary":"A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22224","reference_id":"","reference_type":"","scores":[{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59025","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.58961","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59036","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59058","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59023","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59074","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.5908","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59099","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59081","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59062","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59097","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59101","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59061","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59078","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59065","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22224"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22224"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-55tn-dhah-8fak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240525?format=json","vulnerability_id":"VCID-64wb-wrxa-afb2","summary":"Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22225","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3287","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33232","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33366","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33398","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33276","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3331","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33314","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33273","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33249","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33288","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33265","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33229","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33081","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33064","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.32988","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22225"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22225"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64wb-wrxa-afb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11172?format=json","vulnerability_id":"VCID-a1z8-2fdu-1uhd","summary":"Arbitrary Code Execution in Rdoc\nIn RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-31799.json","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-31799.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31799","reference_id":"","reference_type":"","scores":[{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57573","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57486","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57555","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57535","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57577","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57599","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57463","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57547","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57602","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57596","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57595","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57615","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.576","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57567","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57543","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31799"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31799","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31799"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32066","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32066"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/ruby/rdoc","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/rdoc"},{"reference_url":"https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:16:06Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html"},{"reference_url":"https://security.gentoo.org/glsa/202401-05","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:16:06Z/"}],"url":"https://security.gentoo.org/glsa/202401-05"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210902-0004","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210902-0004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:16:06Z/"}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc"},{"reference_url":"https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3","scoring_elements":""},{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:16:06Z/"}],"url":"https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1980132","reference_id":"1980132","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1980132"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990815","reference_id":"990815","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990815"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-1901","reference_id":"AVG-1901","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1901"},{"reference_url":"https://security.archlinux.org/AVG-1905","reference_id":"AVG-1905","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1905"},{"reference_url":"https://security.archlinux.org/AVG-1906","reference_id":"AVG-1906","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1906"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31799","reference_id":"CVE-2021-31799","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31799"},{"reference_url":"https://security-tracker.debian.org/tracker/CVE-2021-31799","reference_id":"CVE-2021-31799","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:16:06Z/"}],"url":"https://security-tracker.debian.org/tracker/CVE-2021-31799"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rdoc/CVE-2021-31799.yml","reference_id":"CVE-2021-31799.YML","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rdoc/CVE-2021-31799.yml"},{"reference_url":"https://github.com/advisories/GHSA-ggxm-pgc9-g7fp","reference_id":"GHSA-ggxm-pgc9-g7fp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ggxm-pgc9-g7fp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3020","reference_id":"RHSA-2021:3020","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3020"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3559","reference_id":"RHSA-2021:3559","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3559"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3982","reference_id":"RHSA-2021:3982","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3982"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0543","reference_id":"RHSA-2022:0543","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0543"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0544","reference_id":"RHSA-2022:0544","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0544"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0581","reference_id":"RHSA-2022:0581","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0581"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0582","reference_id":"RHSA-2022:0582","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0582"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0672","reference_id":"RHSA-2022:0672","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0672"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0708","reference_id":"RHSA-2022:0708","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0708"},{"reference_url":"https://usn.ubuntu.com/5020-1/","reference_id":"USN-5020-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5020-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-31799","GHSA-ggxm-pgc9-g7fp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a1z8-2fdu-1uhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240530?format=json","vulnerability_id":"VCID-ad6q-uvub-77ff","summary":"An issue has been discovered in GitLab affecting all versions before 13.11.6, all versions starting from 13.12 before 13.12.6, and all versions starting from 14.0 before 14.0.2. Improper access control allows unauthorised users to access project details using Graphql.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22228","reference_id":"","reference_type":"","scores":[{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45708","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45843","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45891","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45911","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45861","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45917","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45914","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45937","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45908","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45915","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45967","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45962","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45907","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45856","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45867","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.4581","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22228"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22228"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ad6q-uvub-77ff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240527?format=json","vulnerability_id":"VCID-ewf1-jsf4-nqe8","summary":"Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22226","reference_id":"","reference_type":"","scores":[{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.4059","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40926","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.41008","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.4104","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40965","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.41014","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.41022","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.41005","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40989","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.41031","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.41002","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40924","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.4083","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40817","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40733","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22226"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22226"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ewf1-jsf4-nqe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240531?format=json","vulnerability_id":"VCID-j2d6-26gv-j3f9","summary":"An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22229","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41742","published_at":"2026-05-05T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42027","published_at":"2026-04-01T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42087","published_at":"2026-04-02T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42115","published_at":"2026-04-04T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42052","published_at":"2026-04-07T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42104","published_at":"2026-04-08T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42116","published_at":"2026-04-09T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42137","published_at":"2026-04-11T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.421","published_at":"2026-04-18T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42075","published_at":"2026-04-13T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42127","published_at":"2026-04-16T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.4203","published_at":"2026-04-21T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41973","published_at":"2026-04-24T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41967","published_at":"2026-04-26T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41883","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22229"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22229"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j2d6-26gv-j3f9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240534?format=json","vulnerability_id":"VCID-ktjp-pvqu-5yf7","summary":"A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22231","reference_id":"","reference_type":"","scores":[{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.5918","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59104","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59178","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59202","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59166","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59217","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.5923","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.5925","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59232","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59214","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59255","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59237","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59218","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59223","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22231"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22231"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ktjp-pvqu-5yf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240528?format=json","vulnerability_id":"VCID-p3g7-kade-fqfq","summary":"A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22227","reference_id":"","reference_type":"","scores":[{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28128","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28691","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28773","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28821","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28628","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28693","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28732","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28737","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28645","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28664","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28639","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28591","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28477","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28364","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28289","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22227"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22227"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p3g7-kade-fqfq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240535?format=json","vulnerability_id":"VCID-s41d-jhp9-ckae","summary":"HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22232","reference_id":"","reference_type":"","scores":[{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31647","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32175","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32308","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32347","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32171","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.3222","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32247","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32248","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.3221","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.3218","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32213","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32193","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32164","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.32002","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31875","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31793","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22232"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22232"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s41d-jhp9-ckae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240523?format=json","vulnerability_id":"VCID-ye5q-51wd-53c5","summary":"Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22223","reference_id":"","reference_type":"","scores":[{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39772","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40114","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40264","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40289","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40211","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40275","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40286","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40249","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40229","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40276","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40245","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40169","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39995","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39981","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.399","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22223"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22223"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ye5q-51wd-53c5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240537?format=json","vulnerability_id":"VCID-yq7h-64jj-wfcs","summary":"An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22233","reference_id":"","reference_type":"","scores":[{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.39948","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40285","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40351","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40376","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40301","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40352","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40364","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40375","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40337","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40318","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40365","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40333","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40256","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40178","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40165","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40084","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22233"},{"reference_url":"https://security.archlinux.org/AVG-2137","reference_id":"AVG-2137","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2137"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22233"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yq7h-64jj-wfcs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/240533?format=json","vulnerability_id":"VCID-yx48-ptwa-ukhh","summary":"Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22230","reference_id":"","reference_type":"","scores":[{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41185","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41486","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41576","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41604","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41531","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41581","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.4159","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41611","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41578","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41564","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.4161","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41585","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41509","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41401","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41396","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00196","scoring_system":"epss","scoring_elements":"0.41318","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22230"},{"reference_url":"https://security.archlinux.org/ASA-202107-18","reference_id":"ASA-202107-18","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202107-18"},{"reference_url":"https://security.archlinux.org/AVG-2125","reference_id":"AVG-2125","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2125"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372024?format=json","purl":"pkg:alpm/archlinux/gitlab@14.0.3-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}],"aliases":["CVE-2021-22230"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yx48-ptwa-ukhh"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@14.0.3-1"}