Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

backstage — Vulnerabilities & Security Advisories 24

All 24 CVE vulnerabilities found in backstage, with AI-generated Chinese analysis, references, and POCs.

Vendor: backstage

CVE IDTitleCVSSSeverityPublished
CVE-2026-29186 @backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution CWE-434 7.7 High2026-03-07
CVE-2026-29184 @backstage/plugin-scaffolder-backend: Potential Session Token Exfiltration via Log Redaction Bypass CWE-532 2.0 Low2026-03-07
CVE-2026-29185 @backstage/integration: Potential reading of SCM URLs using built in token CWE-22 2.7 Low2026-03-07
CVE-2026-25152 @backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator CWE-22 5.3 Medium2026-01-30
CVE-2026-25153 @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks CWE-94 7.7 High2026-01-30
CVE-2026-24048 Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow` CWE-918 3.5 Low2026-01-21
CVE-2026-24047 @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass CWE-59 6.3 Medium2026-01-21
CVE-2026-24046 Backstage has a Possible Symlink Path Traversal in Scaffolder Actions CWE-22 7.1 High2026-01-21
CVE-2025-55285 @backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template` CWE-532 2.6 Low2025-08-15
CVE-2025-32791 Permission policy information leakage in Backstage permission system CWE-213 4.3 Medium2025-04-16
CVE-2024-53983 Server-side request forgery in Backstage Scaffolder plugin CWE-918 5.4 Medium2024-11-29
CVE-2024-47762 Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend CWE-440 5.8 Medium2024-10-03
CVE-2024-45815 Prototype pollution in @backstage/plugin-catalog-backend CWE-1321 6.5 Medium2024-09-17
CVE-2024-45816 Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend CWE-23 6.5 Medium2024-09-17
CVE-2024-46976 Circumvention of cross site scripting Protection in @backstage/plugin-techdocs-backend CWE-693 6.5 Medium2024-09-17
CVE-2024-26150 `@backstage/backend-common` vulnerable to path traversal through symlinks CWE-22 8.7 High2024-02-23
CVE-2023-35926 Insecure sandbox in Backstage Scaffolder plugin CWE-94 8.1 High2023-06-22
CVE-2023-25571 Backstage has XSS Vulnerability in Software Catalog CWE-84 6.8 Medium2023-02-14
CVE-2021-43783 Path Traversal in @backstage/plugin-scaffolder-backend CWE-22 8.5 High2021-11-29
CVE-2021-43776 XSS vulnerability in @backstage/plugin-auth-backend CWE-79 7.4 High2021-11-26
CVE-2021-41151 Path Traversal in @backstage/plugin-scaffolder-backend CWE-22 6.8 Medium2021-10-18
CVE-2021-32662 TechDocs mkdocs.yml path traversal CWE-22 6.5 Medium2021-06-03
CVE-2021-32661 TechDocs object element script injection CWE-77 6.8 Medium2021-06-03
CVE-2021-32660 TechDocs content sanitization bypass CWE-77 6.8 Medium2021-06-03

All 24 known CVE vulnerabilities affecting backstage with full Chinese analysis, references, and POCs where available.