backstage
DevTools & CIcommercial
Top products
Latest CVEs
The 15 most recently published vulnerabilities affecting backstage.
- CVE-2026-44374Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks4.3
- CVE-2026-32237@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint4.4
- CVE-2026-32236@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch7.5
- CVE-2026-32235@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass5.9
- CVE-2026-29186@backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution7.7
- CVE-2026-29184@backstage/plugin-scaffolder-backend: Potential Session Token Exfiltration via Log Redaction Bypass2.0
- CVE-2026-29185@backstage/integration: Potential reading of SCM URLs using built in token2.7
- CVE-2026-25152@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator5.3
- CVE-2026-25153@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks7.7
- CVE-2026-24048Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`3.5
- CVE-2026-24047@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass6.3
- CVE-2026-24046Backstage has a Possible Symlink Path Traversal in Scaffolder Actions7.1
- CVE-2025-55285@backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template`2.6
- CVE-2025-32791Permission policy information leakage in Backstage permission system4.3
- CVE-2024-53983Server-side request forgery in Backstage Scaffolder plugin5.4