Lucene search
+L

89 matches found

NVD
NVD
added 2026/03/12 7:16 p.m.4 views

CVE-2026-32237

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

6.5CVSS0.00242EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/12 6:38 p.m.4 views

CVE-2026-32237

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

4.4CVSS5.9AI score0.00242EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/12 6:38 p.m.4 views

CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

4.4CVSS5.9AI score0.00242EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/12 6:38 p.m.34 views

CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

4.4CVSS0.00242EPSS
Exploits0References2
CVE
CVE
added 2026/03/12 6:38 p.m.8 views

CVE-2026-32237

Backstage vulnerability CVE-2026-32237 affects the @backstage/plugin-scaffolder-backend prior to 3.1.5. Authenticated users with permission to run scaffolder dry-runs can access server-configured environment secrets via the dry-run API response; secrets are redacted in logs but not in all respons...

6.5CVSS5.9AI score0.00242EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/12 6:38 p.m.8 views

CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

4.4CVSS5.9AI score0.00242EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/12 2:51 p.m.6 views

EUVD-2026-11675

@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint...

4.4CVSS5.8AI score0.00242EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 2:51 p.m.5 views

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview @backstage/plugin-scaffolder-backend is a The Backstage backend plugin that helps you create new things Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the dry-run endpoint when secrets configured in...

6.5CVSS5.9AI score0.00242EPSS
Exploits0References2
OSV
OSV
added 2026/03/12 2:51 p.m.5 views

GHSA-8WQ8-6859-QX77 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured...

4.4CVSS5.9AI score0.00242EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/12 2:51 p.m.9 views

@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured...

6.5CVSS5.9AI score0.00242EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.7 views

PT-2026-25053

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 3.1.5 Description Backstage is an open framework for building developer portals. Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through th...

6.5CVSS5.9AI score0.00242EPSS
Exploits0References10
EUVD
EUVD
added 2026/03/09 8:50 p.m.6 views

EUVD-2026-10357

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA Progressive Web App ZIP processing endpoint POST /api/pwa/process-zip allows an authenticated user with builder privileges to read arbitrary...

9.6CVSS5.9AI score0.00267EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/09 8:50 p.m.4 views

CVE-2026-30240 Budibase PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA Progressive Web App ZIP processing endpoint POST /api/pwa/process-zip allows an authenticated user with builder privileges to read arbitrary...

9.6CVSS5.9AI score0.00267EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/09 8:50 p.m.30 views

CVE-2026-30240 Budibase PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA Progressive Web App ZIP processing endpoint POST /api/pwa/process-zip allows an authenticated user with builder privileges to read arbitrary...

9.6CVSS0.00267EPSS
Exploits1References1
CVE
CVE
added 2026/03/09 8:50 p.m.18 views

CVE-2026-30240

Budibase PWA ZIP upload path traversal (CVE-2026-30240) affects Budibase 3.31.5 and earlier. Affected component: PWA ZIP processing endpoint at POST /api/pwa/process-zip. Root cause: unsanitized usage of path.join() with user-controlled input from icons.json inside the uploaded ZIP allowing an au...

9.6CVSS5.9AI score0.00267EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/03/09 8:50 p.m.16 views

CVE-2026-30240 Budibase PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA Progressive Web App ZIP processing endpoint POST /api/pwa/process-zip allows an authenticated user with builder privileges to read arbitrary...

9.6CVSS5.9AI score0.00267EPSS
Exploits1References3
OSV
OSV
added 2026/03/07 2:30 a.m.3 views

GHSA-H343-GG57-2Q67 OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE

Summary OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape this.constructor.constructor, an...

9.9CVSS6.2AI score0.00387EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/02/26 10:36 p.m.2 views

CVE-2026-28216

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. user-environments.resolver.ts:82-109, updateUserEnvironment mutation uses @UseGuardsGqlAuthGuard but is missing the @GqlUser...

8.3CVSS5.8AI score0.00394EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/02/26 10:36 p.m.7 views

EUVD-2026-8913

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. user-environments.resolver.ts:82-109, updateUserEnvironment mutation uses @UseGuardsGqlAuthGuard but is missing the @GqlUser...

8.3CVSS5.6AI score0.00394EPSS
Exploits1References2
EUVD
EUVD
added 2026/02/25 6:57 p.m.10 views

EUVD-2026-8646

Budibase: Remote Code Execution via Unsafe eval in View Filter Map Function Budibase Cloud...

9.9CVSS5.5AI score0.00335EPSS
Exploits1References5
Rows per page
Query Builder