Remote Code Execution (RCE)

@backstage/plugin-techdocs-node is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper sanitization of user-controlled mkdocs.yml configuration specifically MkDocs hooks when TechDocs is configured with runIn: local, which allows an attacker to execute arbitrary Python...

@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks

Impact When TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. Patches Upgrade to @backstage/plugin-techdocs-node version 1.13.11, 1.14.1...

Arbitrary Code Injection

Overview @backstage/plugin-techdocs-node is a Common node.js functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli Affected versions of this package are vulnerable to Arbitrary Code Injection via the processing of MkDocs hooks, when TechDocs is configured wit...

CVE-2026-25153

In CVE-2026-25153, versions of @backstage/plugin-techdocs-node before 1.13.11 and before 1.14.1 are vulnerable when TechDocs runs with runIn: local. A malicious actor who can submit or modify a repository’s mkdocs.yml can cause arbitrary Python code execution on the TechDocs build server via MkDo...