15 matches found
Permissive List of Allowed Inputs
Overview @backstage/plugin-techdocs-node is a Common node.js functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli Affected versions of this package are vulnerable to Permissive List of Allowed Inputs via the processing of the mkdocs.yml configuration file...
@backstage/plugin-search-backend-module-techdocs (>=0.0.0-nightly-20230323021924 <=0.4.9-next.1), @backstage/plugin-techdocs-backend (>=0.0.0-nightly-20220305022735 <=2.1.4-next.2) +2 more potentially affected by CVE-2026-25153 via @backstage/plugin-techdocs-node (>=0.0.0-nightly-20220315022536 <=1.13.11-next.0)
@backstage/plugin-techdocs-node NPM version =0.0.0-nightly-20220315022536, =0.0.0-nightly-20230323021924, =0.0.0-nightly-20220305022735, =0.0.0-nightly-20220305022735, =0.0.0-nightly-20220305022735, =1.10.4-next.2 Source cves: CVE-2026-25153 Source advisory: OSV:GHSA-6JR7-99PF-8VGF...
@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks
Impact When TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. Patches Upgrade to @backstage/plugin-techdocs-node version 1.13.11, 1.14.1...
GHSA-6JR7-99PF-8VGF @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks
Impact When TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. Patches Upgrade to @backstage/plugin-techdocs-node version 1.13.11, 1.14.1...
@backstage/plugin-search-backend-module-techdocs (>=0.0.0-nightly-20230323021924 <=0.4.9-next.1), @backstage/plugin-techdocs-backend (>=0.0.0-nightly-20220305022735 <=2.1.4-next.2) +2 more potentially affected by CVE-2026-25152 via @backstage/plugin-techdocs-node (>=0.0.0-nightly-20220315022536 <=1.13.11-next.0)
@backstage/plugin-techdocs-node NPM version =0.0.0-nightly-20220315022536, =0.0.0-nightly-20230323021924, =0.0.0-nightly-20220305022735, =0.0.0-nightly-20220305022735, =0.0.0-nightly-20220305022735, =1.10.4-next.2 Source cves: CVE-2026-25152 Source advisory: OSV:GHSA-W669-JJ7H-88M9...
CVE-2026-25152
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allow...
CVE-2026-25153
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with runIn: local, a malicious actor who...
CVE-2026-25152
The CVE-2026-25152 entry concerns the Backstage @backstage/plugin-techdocs-node, where versions before 1.13.11 and 1.14.1 allow path traversal via the TechDocs local generator when techdocs.generator.runIn is set to local. This permits reading arbitrary host files as MkDocs follows symlinks in do...
@backstage/plugin-search-backend-module-techdocs (>=0.4.9-next.0 <=0.4.9-next.1), @backstage/plugin-techdocs-backend (>=0.0.0-nightly-20251222025103 <=2.1.4-next.2) +2 more potentially affected by CVE-2026-25152 via @backstage/plugin-techdocs-node (>=1.0.0 <=1.13.11-next.0)
@backstage/plugin-techdocs-node NPM version =1.0.0, =0.4.9-next.0, =0.0.0-nightly-20251222025103, =0.11.13, =0.0.0-nightly-20241120023536, =1.10.4-next.2 Source cves: CVE-2026-25152 Source advisory: SNYK:JS-BACKSTAGEPLUGINTECHDOCSNODE-15166605...
CVE-2026-25152 @backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allow...
CVE-2026-25153
In CVE-2026-25153, versions of @backstage/plugin-techdocs-node before 1.13.11 and before 1.14.1 are vulnerable when TechDocs runs with runIn: local. A malicious actor who can submit or modify a repository’s mkdocs.yml can cause arbitrary Python code execution on the TechDocs build server via MkDo...
Arbitrary Code Injection
Overview @backstage/plugin-techdocs-node is a Common node.js functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli Affected versions of this package are vulnerable to Arbitrary Code Injection via the processing of MkDocs hooks, when TechDocs is configured wit...
EUVD-2026-5004
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with runIn: local, a malicious actor who...
@backstage/plugin-search-backend-module-techdocs (>=0.4.9-next.0 <=0.4.9-next.1), @backstage/plugin-techdocs-backend (>=0.0.0-nightly-20251222025103 <=2.1.4-next.2) +2 more potentially affected by CVE-2026-25153 via @backstage/plugin-techdocs-node (>=1.0.0 <=1.13.11-next.0)
@backstage/plugin-techdocs-node NPM version =1.0.0, =0.4.9-next.0, =0.0.0-nightly-20251222025103, =0.11.13, =0.0.0-nightly-20241120023536, =1.10.4-next.2 Source cves: CVE-2026-25153 Source advisory: SNYK:JS-BACKSTAGEPLUGINTECHDOCSNODE-15166604...
@backstage-community/plugin-techdocs-backend-module-confluence (>=0.2.0 <=0.2.1), @backstage/plugin-search-backend-module-techdocs (>=0.0.0-nightly-20230323021924 <=0.4.14-next.1) +12 more potentially affected by unknown CVE via @backstage/plugin-techdocs-node (>=0.0.0-nightly-20220315022536 <=1.1.2-next.2)
@backstage/plugin-techdocs-node NPM version =0.0.0-nightly-20220315022536, =0.2.0, =0.0.0-nightly-20230323021924, =0.0.0-nightly-202111212297, =0.0.0-nightly-20220305022735, =1.0.0, =1.6.0, =0.0.4, =1.9.1, =1.0.1, =1.0.1, =0.0.0-nightly-2022122206, =0.1.5, =0.1.2, =1.1.0 Source cves: unknown CVE...