Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

backstage — Vulnerabilities & Security Advisories 24

Browse all 24 CVE security advisories affecting backstage. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Backstage is an open-source developer portal platform designed to unify internal developer tools and services under a single interface. Its architecture facilitates service cataloging, documentation, and tool integration, making it a central hub for engineering teams. Security assessments have identified twenty-four Common Vulnerabilities and Exposures (CVEs), primarily stemming from its complex plugin ecosystem and API gateways. Historically, the most prevalent vulnerability classes include Cross-Site Scripting (XSS) and improper access control mechanisms, which often lead to privilege escalation or unauthorized data exposure. While no single catastrophic incident has defined its history, the accumulation of these flaws highlights risks associated with third-party plugin dependencies and insufficient input validation. Organizations deploying this solution must prioritize rigorous plugin auditing and strict role-based access controls to mitigate the inherent risks of its extensible framework.

Top products by backstage: backstage
CVE IDTitleCVSSSeverityPublished
CVE-2026-29186 @backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution — backstageCWE-434 7.7 High2026-03-07
CVE-2026-29184 @backstage/plugin-scaffolder-backend: Potential Session Token Exfiltration via Log Redaction Bypass — backstageCWE-532 2.0 Low2026-03-07
CVE-2026-29185 @backstage/integration: Potential reading of SCM URLs using built in token — backstageCWE-22 2.7 Low2026-03-07
CVE-2026-25152 @backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator — backstageCWE-22 5.3 Medium2026-01-30
CVE-2026-25153 @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks — backstageCWE-94 7.7 High2026-01-30
CVE-2026-24048 Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow` — backstageCWE-918 3.5 Low2026-01-21
CVE-2026-24047 @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass — backstageCWE-59 6.3 Medium2026-01-21
CVE-2026-24046 Backstage has a Possible Symlink Path Traversal in Scaffolder Actions — backstageCWE-22 7.1 High2026-01-21
CVE-2025-55285 @backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template` — backstageCWE-532 2.6 Low2025-08-15
CVE-2025-32791 Permission policy information leakage in Backstage permission system — backstageCWE-213 4.3 Medium2025-04-16
CVE-2024-53983 Server-side request forgery in Backstage Scaffolder plugin — backstageCWE-918 5.4 Medium2024-11-29
CVE-2024-47762 Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend — backstageCWE-440 5.8 Medium2024-10-03
CVE-2024-45815 Prototype pollution in @backstage/plugin-catalog-backend — backstageCWE-1321 6.5 Medium2024-09-17
CVE-2024-45816 Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend — backstageCWE-23 6.5 Medium2024-09-17
CVE-2024-46976 Circumvention of cross site scripting Protection in @backstage/plugin-techdocs-backend — backstageCWE-693 6.5 Medium2024-09-17
CVE-2024-26150 `@backstage/backend-common` vulnerable to path traversal through symlinks — backstageCWE-22 8.7 High2024-02-23
CVE-2023-35926 Insecure sandbox in Backstage Scaffolder plugin — backstageCWE-94 8.1 High2023-06-22
CVE-2023-25571 Backstage has XSS Vulnerability in Software Catalog — backstageCWE-84 6.8 Medium2023-02-14
CVE-2021-43783 Path Traversal in @backstage/plugin-scaffolder-backend — backstageCWE-22 8.5 High2021-11-29
CVE-2021-43776 XSS vulnerability in @backstage/plugin-auth-backend — backstageCWE-79 7.4 High2021-11-26
CVE-2021-41151 Path Traversal in @backstage/plugin-scaffolder-backend — backstageCWE-22 6.8 Medium2021-10-18
CVE-2021-32662 TechDocs mkdocs.yml path traversal — backstageCWE-22 6.5 Medium2021-06-03
CVE-2021-32661 TechDocs object element script injection — backstageCWE-77 6.8 Medium2021-06-03
CVE-2021-32660 TechDocs content sanitization bypass — backstageCWE-77 6.8 Medium2021-06-03

This page lists every published CVE security advisory associated with backstage. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.