{"url":"http://public2.vulnerablecode.io/api/packages/513528?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@0.0.0-nightly-2021101022158","type":"npm","namespace":"@backstage","name":"plugin-scaffolder-backend","version":"0.0.0-nightly-2021101022158","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.4","latest_non_vulnerable_version":"3.1.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42737?format=json","vulnerability_id":"VCID-5kzn-qtek-fkhv","summary":"Path Traversal in @backstage/plugin-scaffolder-backend\n### Impact\nA malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance.\n\nThis vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker to control the contents of the injected file however, unless the template is also crafted in a specific way that gives control of the file contents.\n\n### Patches\nThis vulnerability is fixed in version `0.15.14` of the `@backstage/plugin-scaffolder-backend`.\n\n### Workarounds\nThis attack is mitigated by restricting access and requiring reviews when registering or modifying scaffolder templates.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in the [Backstage repository](https://github.com/backstage/backstage)\n* Visit our chat, linked to in [Backstage README](https://github.com/backstage/backstage)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43783","reference_id":"","reference_type":"","scores":[{"value":"0.00398","scoring_system":"epss","scoring_elements":"0.60854","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43783"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43783","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43783"},{"reference_url":"https://github.com/advisories/GHSA-mg3m-f475-28hv","reference_id":"GHSA-mg3m-f475-28hv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mg3m-f475-28hv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76958?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@0.15.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a2hm-4jf5-ubgw"},{"vulnerability":"VCID-gy5r-dw64-vqg2"},{"vulnerability":"VCID-r9xg-aa4a-xqhm"},{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@0.15.14"}],"aliases":["CVE-2021-43783","GHSA-mg3m-f475-28hv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5kzn-qtek-fkhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18971?format=json","vulnerability_id":"VCID-a2hm-4jf5-ubgw","summary":"@backstage/plugin-scaffolder-backend: @backstage/plugin-scaffolder-backend Template Secret Leakage in Logs","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55285.json","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55285.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55285","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15703","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55285"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T17:49:07Z/"}],"url":"https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T17:49:07Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55285","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55285"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2388819","reference_id":"2388819","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2388819"},{"reference_url":"https://github.com/advisories/GHSA-3x3q-ghcp-whf7","reference_id":"GHSA-3x3q-ghcp-whf7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3x3q-ghcp-whf7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/808976?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-r9xg-aa4a-xqhm"},{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.2.0-next.0"},{"url":"http://public2.vulnerablecode.io/api/packages/64577?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-r9xg-aa4a-xqhm"},{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.1.1"}],"aliases":["CVE-2025-55285","GHSA-3x3q-ghcp-whf7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a2hm-4jf5-ubgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38986?format=json","vulnerability_id":"VCID-gy5r-dw64-vqg2","summary":"Backstage Scaffolder plugin has insecure sandbox\nThe Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities  that may not have a fix, the plugin has switched to using a different sandbox library.\n\n### Impact\n\nA malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data.\n\n### Patches\n\nThis is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.\n\n### Workarounds\n\nNote that the [Backstage Threat Model](https://backstage.io/docs/overview/threat-model) states that scaffolder templates are considered to be a sensitive area that with the recommendation that you control access and perform manual reviews of changes to the scaffolder templates. The exploit is of a nature where it is easily discoverable in manual review.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-35926","reference_id":"","reference_type":"","scores":[{"value":"0.09147","scoring_system":"epss","scoring_elements":"0.9281","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-35926"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"},{"reference_url":"https://github.com/backstage/backstage/releases/tag/v1.15.0","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/releases/tag/v1.15.0"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35926","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35926"},{"reference_url":"https://github.com/advisories/GHSA-wg6p-jmpc-xjmr","reference_id":"GHSA-wg6p-jmpc-xjmr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wg6p-jmpc-xjmr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72290?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@1.15.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a2hm-4jf5-ubgw"},{"vulnerability":"VCID-r9xg-aa4a-xqhm"},{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@1.15.0"}],"aliases":["CVE-2023-35926","GHSA-wg6p-jmpc-xjmr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gy5r-dw64-vqg2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42816?format=json","vulnerability_id":"VCID-ha26-cvww-jfd7","summary":"RCE vulnerability affecting v1beta3 templates in @backstage/plugin-scaffolder-backend\nThe templating library used by the scaffolder backend assumes that templates are trusted which is an undesired property of the scaffolder-backend. This has now been mitigated by sandboxing the template code execution.\n\n### Impact\nA malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template yaml definition itself and not by user input data.\n\n### Patches\nThis is vulnerability is patched in version `0.15.14` of `@backstage/plugin-scaffolder-backend`.\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in the [Backstage repository](https://github.com/backstage/backstage)\n* Visit our chat, linked to in [Backstage README](https://github.com/backstage/backstage)","references":[{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-2g8g-63j4-9w3r","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-2g8g-63j4-9w3r"},{"reference_url":"https://github.com/advisories/GHSA-2g8g-63j4-9w3r","reference_id":"GHSA-2g8g-63j4-9w3r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2g8g-63j4-9w3r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76958?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@0.15.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a2hm-4jf5-ubgw"},{"vulnerability":"VCID-gy5r-dw64-vqg2"},{"vulnerability":"VCID-r9xg-aa4a-xqhm"},{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@0.15.14"}],"aliases":["GHSA-2g8g-63j4-9w3r","GMS-2021-21"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ha26-cvww-jfd7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11383?format=json","vulnerability_id":"VCID-r9xg-aa4a-xqhm","summary":"backstage/backend-defaults: backstage/plugin-scaffolder-backend: backstage/plugin-scaffolder-node: possible symlink path traversal in scaffolder actions","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24046","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06521","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24046"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/"}],"url":"https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24046","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24046"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431878","reference_id":"2431878","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431878"},{"reference_url":"https://github.com/advisories/GHSA-rq6q-wr2q-7pgp","reference_id":"GHSA-rq6q-wr2q-7pgp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rq6q-wr2q-7pgp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6174","reference_id":"RHSA-2026:6174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6802","reference_id":"RHSA-2026:6802","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6802"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/914285?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.0.0-next.0"},{"url":"http://public2.vulnerablecode.io/api/packages/914289?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.0-next.0"},{"url":"http://public2.vulnerablecode.io/api/packages/51818?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/51820?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/51822?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rpk9-81fg-9qd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.1"}],"aliases":["CVE-2026-24046","GHSA-rq6q-wr2q-7pgp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9xg-aa4a-xqhm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8238?format=json","vulnerability_id":"VCID-rpk9-81fg-9qd8","summary":"@backstage/plugin-scaffolder-backend: Backstage Scaffolder Backend: Information disclosure via malicious template bypassing log redaction","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29184.json","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29184.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29184","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01088","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29184"},{"reference_url":"https://backstage.io/docs/overview/threat-model","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://backstage.io/docs/overview/threat-model"},{"reference_url":"https://backstage.io/docs/permissions/plugin-authors/01-setup","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://backstage.io/docs/permissions/plugin-authors/01-setup"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53","reference_id":"","reference_type":"","scores":[{"value":"2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:14:42Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29184","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29184"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445468","reference_id":"2445468","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445468"},{"reference_url":"https://github.com/advisories/GHSA-8qp7-fhr9-fw53","reference_id":"GHSA-8qp7-fhr9-fw53","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8qp7-fhr9-fw53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58064?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.4"}],"aliases":["CVE-2026-29184","GHSA-8qp7-fhr9-fw53"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rpk9-81fg-9qd8"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@0.0.0-nightly-2021101022158"}