diff --git a/go/github.com/cloudflare/cfrpki/validator/pki/CVE-2021-3907.yml b/go/github.com/cloudflare/cfrpki/validator/pki/CVE-2021-3907.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e8000495843c8dbabe9a7d1b01b83fbdb02c8ad6
--- /dev/null
+++ b/go/github.com/cloudflare/cfrpki/validator/pki/CVE-2021-3907.yml
@@ -0,0 +1,43 @@
+---
+identifier: "CVE-2021-3907"
+identifiers:
+- "GHSA-cqh2-vc2f-q4fh"
+- "CVE-2021-3907"
+package_slug: "go/github.com/cloudflare/cfrpki/validator/pki"
+title: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+description: "OctoRPKI does not escape a URI with a filename containing \"..\", this
+ allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa),
+ which would then be written to disk outside the base cache folder. This could allow
+ for remote code execution on the host machine OctoRPKI is running on."
+date: "2023-02-07"
+pubdate: "2021-11-10"
+affected_range: "<v1.4.3"
+fixed_versions:
+- "v1.4.3"
+affected_versions: "All versions before 1.4.3"
+not_impacted: "All versions starting from 1.4.3"
+solution: "Upgrade to version 1.4.3 or above."
+urls:
+- "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
+- "https://nvd.nist.gov/vuln/detail/CVE-2021-3907"
+- "https://www.debian.org/security/2021/dsa-5033"
+- "https://www.debian.org/security/2022/dsa-5041"
+- "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
+- "https://github.com/cloudflare/cfrpki/commit/eb9cc4db7b7b79e44f56dfaa959fccdfb2af8284"
+- "https://pkg.go.dev/vuln/GO-2022-0248"
+- "https://github.com/advisories/GHSA-cqh2-vc2f-q4fh"
+cvss_v2: "AV:N/AC:L/Au:N/C:P/I:P/A:P"
+cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+uuid: "650510cf-d3cd-4e20-bb2f-7fc5619a205e"
+cwe_ids:
+- "CWE-1035"
+- "CWE-22"
+- "CWE-78"
+- "CWE-937"
+versions:
+- number: "v1.4.3"
+ commit:
+ tags:
+ - "v1.4.3"
+ sha: "828f93020875c2a3fdd222b70e4756df0ef4e847"
+ timestamp: "20220214191058"