Lucene search
K

423 matches found

RedHat Linux
RedHat Linux
added 2026/04/07 1:22 p.m.5 views

Important: Red Hat Security Advisory: Red Hat Developer Hub 1.9.3 release.

Red Hat Developer Hub 1.9.3 has been released. Red Hat Developer Hub RHDH is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters AKS, EKS, GKE. The core features of RHDH include a single...

9.8CVSS5.8AI score0.02591EPSS
Exploits8References20
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/03/18 12:40 p.m.4 views

Malicious code in backstage-plugin-wpe-catalog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ba337d37ef9344a2df43beb88ffec3f1061cba440eb4c4ed69798da6f3122b5 The package backstage-plugin-wpe-catalog was found to contain malicious code...

5.8AI score
Exploits0
OSV
OSV
added 2026/03/18 12:40 p.m.8 views

MAL-2026-1657 Malicious code in backstage-plugin-wpe-catalog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ba337d37ef9344a2df43beb88ffec3f1061cba440eb4c4ed69798da6f3122b5 The package backstage-plugin-wpe-catalog was found to contain malicious code...

5.8AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/12 11:18 p.m.3 views

CVE-2026-32235

An allowlist bypass flaw has been discovered in the npm @backstage/plugin-auth-backend package. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass th...

5.9CVSS5.7AI score0.00139EPSS
Exploits0References4
NVD
NVD
added 2026/03/12 7:16 p.m.3 views

CVE-2026-32237

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

6.5CVSS0.00242EPSS
Exploits0References2
NVD
NVD
added 2026/03/12 7:16 p.m.7 views

CVE-2026-32236

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

7.5CVSS0.00292EPSS
Exploits0References2
NVD
NVD
added 2026/03/12 7:16 p.m.5 views

CVE-2026-32235

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents a...

5.9CVSS0.00139EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/12 6:38 p.m.31 views

CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

4.4CVSS0.00242EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/12 6:38 p.m.4 views

CVE-2026-32237

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

4.4CVSS5.9AI score0.00242EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/12 6:38 p.m.4 views

CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

4.4CVSS5.9AI score0.00242EPSS
Exploits0References2
CVE
CVE
added 2026/03/12 6:38 p.m.7 views

CVE-2026-32237

Backstage vulnerability CVE-2026-32237 affects the @backstage/plugin-scaffolder-backend prior to 3.1.5. Authenticated users with permission to run scaffolder dry-runs can access server-configured environment secrets via the dry-run API response; secrets are redacted in logs but not in all respons...

6.5CVSS5.9AI score0.00242EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/12 6:38 p.m.5 views

CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

4.4CVSS5.9AI score0.00242EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/12 6:37 p.m.25 views

CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

6.3CVSS0.00292EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/12 6:37 p.m.2 views

CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

6.3CVSS5.8AI score0.00292EPSS
Exploits0References2
CVE
CVE
added 2026/03/12 6:37 p.m.22 views

CVE-2026-32236

CVE-2026-32236 affects the Backstage npm package @backstage/plugin-auth-backend. The SSRF flaw occurs in the CIMD metadata fetch when auth.experimentalClientIdMetadataDocuments.enabled is true: the initial client_id hostname is validated against private IP ranges, but this validation isn’t enforc...

7.5CVSS5.8AI score0.00292EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/12 6:37 p.m.4 views

CVE-2026-32236

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

5.8AI score0.00292EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/12 6:37 p.m.6 views

CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

5.8AI score0.00292EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/12 6:35 p.m.25 views

CVE-2026-32235 @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents a...

5.9CVSS0.00139EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/12 6:35 p.m.3 views

CVE-2026-32235

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents a...

5.9CVSS5.9AI score0.00139EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/03/12 6:35 p.m.17 views

CVE-2026-32235

Summary of CVE-2026-32235 (Backstage plugin-auth-backend) : The experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass before version 0.27.1. When experimental Dynamic Client Registration or Client ID Metadata Documents are enabled and allowe...

5.9CVSS5.9AI score0.00139EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder