7 matches found
CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...
@alithya-oss/backstage-plugin-aws-apps-backend (=0.4.7), @alithya-oss/backstage-plugin-changelog-backend (=1.0.3) +165 more potentially affected by CVE-2026-24048 via @backstage/backend-defaults (>=0.0.0-nightly-20240929023448 <=0.12.1-next.1)
@backstage/backend-defaults NPM version =0.0.0-nightly-20240929023448, =1.0.7, =0.1.8, =0.3.10, =0.3.6, =0.1.0, =0.4.0, =4.6.0, =0.10.0, =0.12.0 and more Source cves: CVE-2026-24048 Source advisory: SNYK:JS-BACKSTAGEBACKENDDEFAULTS-15064476...
UNIX Symbolic Link (Symlink) Following
Overview @backstage/backend-plugin-api is a Core API used by Backstage backend plugins Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in the resolveSafeChildPath function, which relies on resolveRealPath. An attacker can access sensitive files outside the...
@alithya-oss/backstage-plugin-aws-apps-backend (=0.4.7), @alithya-oss/backstage-plugin-changelog-backend (=1.0.3) +165 more potentially affected by CVE-2026-24046 via @backstage/backend-defaults (>=0.0.0-nightly-20240929023448 <=0.12.1-next.1)
@backstage/backend-defaults NPM version =0.0.0-nightly-20240929023448, =1.0.7, =0.1.8, =0.3.10, =0.3.6, =0.1.0, =0.4.0, =4.6.0, =0.10.0, =0.12.0 and more Source cves: CVE-2026-24046 Source advisory: OSV:GHSA-RQ6Q-WR2Q-7PGP...
@alithya-oss/backstage-plugin-aws-apps-backend (=0.4.7), @alithya-oss/backstage-plugin-changelog-backend (=1.0.3) +165 more potentially affected by CVE-2026-24046 via @backstage/backend-defaults (>=0.0.0-nightly-20240929023448 <=0.12.1-next.1)
@backstage/backend-defaults NPM version =0.0.0-nightly-20240929023448, =1.0.7, =0.1.8, =0.3.10, =0.3.6, =0.1.0, =0.4.0, =4.6.0, =0.10.0, =0.12.0 and more Source cves: CVE-2026-24046 Source advisory: SNYK:JS-BACKSTAGEBACKENDDEFAULTS-15054278...
PT-2024-21301 · Npm · @Backstage/Backend-Common
Name of the Vulnerable Software and Affected Versions: @backstage/backend-common versions prior to 0.21.1 @backstage/backend-common versions prior to 0.20.2 @backstage/backend-common versions prior to 0.19.10 Description: The issue concerns the @backstage/backend-common library, where paths check...
@backstage/plugin-techdocs (>=0.0.0-nightly-2021242250 <=0.0.0-nightly-2020112923923), @backstage/plugin-techdocs-backend (>=0.0.0-nightly-2021112332 <=0.14.1) +1 more potentially affected by unknown CVE via @backstage/techdocs-common (>=0.0.0-nightly-20220923026 <=0.11.15)
@backstage/techdocs-common NPM version =0.0.0-nightly-20220923026, =0.0.0-nightly-2021242250, =0.0.0-nightly-2021112332, =0.0.0-nightly-2022122206, =0.8.16 Source cves: unknown CVE Source advisory: OSV:GHSA-4JQC-JVH2-PXG9...