PT-2026-23441

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 1.14.3 Description Backstage, an open framework for building developer portals, contains a configuration bypass that can lead to arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlis...

Remote Code Execution (RCE)

@backstage/plugin-techdocs-node is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper sanitization of user-controlled mkdocs.yml configuration specifically MkDocs hooks when TechDocs is configured with runIn: local, which allows an attacker to execute arbitrary Python...

@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks

Impact When TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. Patches Upgrade to @backstage/plugin-techdocs-node version 1.13.11, 1.14.1...

GHSA-6JR7-99PF-8VGF @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks

Impact When TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. Patches Upgrade to @backstage/plugin-techdocs-node version 1.13.11, 1.14.1...

CVE-2026-25153

In CVE-2026-25153, versions of @backstage/plugin-techdocs-node before 1.13.11 and before 1.14.1 are vulnerable when TechDocs runs with runIn: local. A malicious actor who can submit or modify a repository’s mkdocs.yml can cause arbitrary Python code execution on the TechDocs build server via MkDo...

EUVD-2026-5004

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with runIn: local, a malicious actor who...

CVE-2026-25153 @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with runIn: local, a malicious actor who...

Arbitrary Code Injection

Overview @backstage/plugin-techdocs-node is a Common node.js functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli Affected versions of this package are vulnerable to Arbitrary Code Injection via the processing of MkDocs hooks, when TechDocs is configured wit...

CVE-2026-25153 @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with runIn: local, a malicious actor who...

PT-2026-5463

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 1.13.11 and versions prior to 1.14.1 Description Backstage’s @backstage/plugin-techdocs-node component, used for TechDocs, is susceptible to remote code execution. When TechDocs is configured to run locally runIn:...

Fedora: Security Advisory (FEDORA-2025-cb26113de5)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory (FEDORA-2025-1b1bb708af)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 42 Update: python-mkdocs-include-markdown-plugin-7.2.0-1.fc42

This package provides an Mkdocs Markdown includer plugin...

[SECURITY] Fedora 43 Update: python-mkdocs-include-markdown-plugin-7.2.0-1.fc43

This package provides an Mkdocs Markdown includer plugin...

Fedora 42 : python-mkdocs-include-markdown-plugin (2025-cb26113de5)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-cb26113de5 advisory. v7.2.0 New features - Add new argument order to sort multiple inclusions. v7.1.8 Bug fixes - Escape substitution placeholders to prevent malformed...

Fedora 43 : python-mkdocs-include-markdown-plugin (2025-1b1bb708af)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-1b1bb708af advisory. v7.2.0 New features - Add new argument order to sort multiple inclusions. v7.1.8 Bug fixes - Escape substitution placeholders to prevent malformed...

Fedora 44 : python-mkdocs-include-markdown-plugin (2025-0ec38c29fa)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-0ec38c29fa advisory. Automatic update for python-mkdocs-include-markdown-plugin-7.2.0-1.fc44. Changelog Mon Nov 24 2025 Michel Lind - 7.2.0-1 - Update to 7.2.0 - Resolves:...

CVE-2025-59940

mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8. Mitigation Mitigation for this issue is either not available or the...

CVE-2025-59940

mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8...

CVE-2025-59940 mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders

mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8...