4 matches found
ROOT-APP-NPM-CVE-2026-24046 CVE-2026-24046 in @rootio/backstage__backend-defaults - Patched by Root
Root has patched CVE-2026-24046 in the @rootio/backstagebackend-defaults package for Root:npm. Multiple fixed versions available...
@backstage/backend-defaults (>=0.15.3-next.0 <=0.16.0-next.2), @backstage/backend-dynamic-feature-service (>=0.7.10-next.0 <=0.8.0-next.2) +69 more potentially affected by CVE-2026-29185 via @backstage/integration (>=1.21.0-next.0 <=2.0.0-next.2)
@backstage/integration NPM version =1.21.0-next.0, =0.15.3-next.0, =0.7.10-next.0, =1.11.1-next.0, =0.5.9-next.0, =1.1.21-next.0, =0.15.1-next.0, =0.4.1-next.0, =0.5.1-next.0, =1.2.16-next.0, =0.13.5-next.0, =0.4.1-next.0, =0.3.8-next.0, =1.33.1-next.0, =3.5.0-next.0, =0.4.21-next.0, =0.4.21-next...
@alithya-oss/backstage-plugin-aws-apps-backend (=0.4.7), @alithya-oss/backstage-plugin-changelog-backend (=1.0.3) +165 more potentially affected by CVE-2026-24048 via @backstage/backend-defaults (>=0.0.0-nightly-20240929023448 <=0.12.1-next.1)
@backstage/backend-defaults NPM version =0.0.0-nightly-20240929023448, =1.0.7, =0.1.8, =0.3.10, =0.3.6, =0.1.0, =0.4.0, =4.6.0, =0.10.0, =0.12.0 and more Source cves: CVE-2026-24048 Source advisory: OSV:GHSA-Q2X5-4XJX-C6P9...
Server-side Request Forgery (SSRF)
Overview @backstage/backend-defaults is a Backend defaults used by Backstage backend apps Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the FetchUrlReader component that automatically follows HTTP redirects. An attacker can access internal or sensitive...