CVE-2026-44374

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless o...

GHSA-P7G9-RP3G-MGFG Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

Impact The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting...

@env-hopper/backend-core (>=2.0.1-alpha-20260224145405 <=2.0.1-alpha.3), @env-hopper/frontend-core (>=2.0.1-alpha <=2.0.1-alpha.11) +4 more potentially affected by CVE-2025-48054 via radashi (=12.5.0-beta.6d5c035)

radashi NPM version =12.5.0-beta.6d5c035 is affected by a known vulnerability. The following packages have a transitive dependency on radashi and may be impacted: - @env-hopper/backend-core =2.0.1-alpha-20260224145405, =2.0.1-alpha, =2.0.1-alpha-20260224145405, =0.0.1, =0.0.1, =0.0.1,...

CVE-2023-25571

Backstage is an open platform for building developer portals. @backstage/catalog-model prior to version 1.2.0, @backstage/core-components prior to 0.12.4, and @backstage/plugin-catalog-backend prior to 1.7.2 are affected by a cross-site scripting vulnerability. This vulnerability allows a malicio...

@backstage/plugin-catalog-backend Prototype Pollution vulnerability

Impact A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. Patches This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend...

GHSA-3X3F-JCP3-G22J @backstage/plugin-catalog-backend Prototype Pollution vulnerability

Impact A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. Patches This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend...

@backstage/backend-dynamic-feature-service (>=0.0.0-nightly-20240116021644 <=0.0.0-nightly-20260510031943), @backstage/plugin-catalog-backend-module-aws (>=0.0.0-nightly-20220219022334 <=0.1.2-next.0) +25 more potentially affected by CVE-2024-45815 via @backstage/plugin-catalog-backend (>=0.0.0-nightly-20220708025041 <=0.5.5)

@backstage/plugin-catalog-backend NPM version =0.0.0-nightly-20220708025041, =0.0.0-nightly-20240116021644, =0.0.0-nightly-20220219022334, =0.0.0-nightly-20220308022132, =0.0.0-nightly-20220311022539, =0.0.0-nightly-20220531024457, =0.0.0-nightly-20220810023539, =0.0.0-nightly-20220422024928,...

CVE-2024-45815 Prototype pollution in @backstage/plugin-catalog-backend

Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the 1.26.0 relea...

CVE-2024-45815 Prototype pollution in @backstage/plugin-catalog-backend

Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the 1.26.0 relea...

CVE-2024-45815

CVE-2024-45815 – Prototype Pollution in @backstage/plugin-catalog-backend Affects Backstage (specifically the catalog-backend plugin). A malicious actor with authenticated access to a Backstage instance using the catalog backend can interrupt the service by sending a specially crafted query to th...

PT-2024-9764 · Npm · @Backstage/Plugin-Catalog-Backend

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-catalog-backend versions prior to 1.26.0 Description: A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed can interrupt the service using a specially crafted query to...

@aws/aws-config-catalog-module-for-backstage (>=0.1.0 <=0.2.0), @backstage-community/backstage-plugin-catalog-backend-module-mta-entity-provider (=0.3.0) +54 more potentially affected by CVE-2023-25571 via @backstage/plugin-catalog-backend (>=0.0.0-nightly-20220708025041 <=1.5.1)

@backstage/plugin-catalog-backend NPM version =0.0.0-nightly-20220708025041, =0.1.0, =0.4.0, =1.7.4, =1.0.3, =0.0.0-nightly-20240116021644, =0.0.0-nightly-20220219022334, =0.0.0-nightly-20220308022132, =0.0.0-nightly-20220311022539, =0.0.0-nightly-20220531024457, =0.0.0-nightly-20220810023539,...

backstage 跨站脚本漏洞

backstage is an application. Backstage is an open platform for building developer portals. A security vulnerability exists in backstage catalog-model prior to 1.2.0, backstage core-components prior to 0.12.4, and backstage plugin-catalog-backend prior to 1.7.2 that originates from a vulnerability...