PatchSiren

backstage CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM @backstage CVE published 2026-05-14

CVE-2026-44374

A missing authorization check in Backstage's unprocessed entities endpoints allows any authenticated user to read unprocessed entity records regardless of ownership. The vulnerability exists in the @backstage/plugin-catalog-backend-module-unprocessed package prior to version 0.6.11. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, un [truncated]

HIGH backstage CVE published 2026-03-07

CVE-2026-29186

CVE-2026-29186 is a high-severity configuration bypass vulnerability in the Backstage Plugin-Techdocs-Node. The vulnerability allows attackers to craft an mkdocs.yml file that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3. The vulnerability has a CVSS score of 7.7 and is considered high severity. The vulnerability wa [truncated]

HIGH backstage CVE published 2026-01-30

CVE-2026-25153

CVE-2026-25153 is a high-severity vulnerability in the Backstage developer portal framework. The vulnerability affects @backstage/plugin-techdocs-node versions prior to 1.13.11 and 1.14.1. An attacker can exploit this vulnerability by submitting or modifying a repository's mkdocs.yml file to execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. The fix introduces an al [truncated]

HIGH backstage CVE published 2026-01-21

CVE-2026-24046

CVE-2026-24046 is a high-severity vulnerability affecting Backstage, an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files, delete arbitrary files, and write files outside the work [truncated]