Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/%40backstage/plugin-catalog-backend-module-unprocessed@0.0.0-nightly-20250904023803

Type npm

Namespace @backstage

Name plugin-catalog-backend-module-unprocessed

Version 0.0.0-nightly-20250904023803

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.6.11

Latest_non_vulnerable_version 0.6.11

Affected_by_vulnerabilities

url VCID-x7sx-uebz-cfg2

vulnerability_id VCID-x7sx-uebz-cfg2

summary Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44374.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44374.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44374

reference_id

reference_type

scores

value	0.00031
scoring_system	epss
scoring_elements	0.09556
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44374

reference_url

https://github.com/backstage/backstage

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/backstage/backstage

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44374

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44374

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2477466
reference_id	2477466
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2477466

reference_url	https://github.com/advisories/GHSA-p7g9-rp3g-mgfg
reference_id	GHSA-p7g9-rp3g-mgfg
reference_type
scores
url	https://github.com/advisories/GHSA-p7g9-rp3g-mgfg

reference_url

https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg

reference_id

GHSA-p7g9-rp3g-mgfg

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T16:02:43Z/

url

https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg

fixed_packages

url	pkg:npm/%40backstage/plugin-catalog-backend-module-unprocessed@0.6.11
purl	pkg:npm/%40backstage/plugin-catalog-backend-module-unprocessed@0.6.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-catalog-backend-module-unprocessed@0.6.11

aliases CVE-2026-44374, GHSA-p7g9-rp3g-mgfg

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x7sx-uebz-cfg2

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-catalog-backend-module-unprocessed@0.0.0-nightly-20250904023803

Package Instance