{"url":"http://public2.vulnerablecode.io/api/packages/545459?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@0.0.0-nightly-202162222215","type":"npm","namespace":"@backstage","name":"plugin-scaffolder-backend","version":"0.0.0-nightly-202162222215","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.5","latest_non_vulnerable_version":"3.1.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45462?format=json","vulnerability_id":"VCID-1wux-ea8n-5ybq","summary":"Improper Control of Generation of Code ('Code Injection')\nBackstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-35926","reference_id":"","reference_type":"","scores":[{"value":"0.09147","scoring_system":"epss","scoring_elements":"0.92834","published_at":"2026-06-08T12:55:00Z"},{"value":"0.09147","scoring_system":"epss","scoring_elements":"0.92837","published_at":"2026-06-07T12:55:00Z"},{"value":"0.09147","scoring_system":"epss","scoring_elements":"0.9284","published_at":"2026-06-06T12:55:00Z"},{"value":"0.09147","scoring_system":"epss","scoring_elements":"0.92845","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-35926"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"},{"reference_url":"https://github.com/backstage/backstage/releases/tag/v1.15.0","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/releases/tag/v1.15.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35926","reference_id":"CVE-2023-35926","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35926"},{"reference_url":"https://github.com/advisories/GHSA-wg6p-jmpc-xjmr","reference_id":"GHSA-wg6p-jmpc-xjmr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wg6p-jmpc-xjmr"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr","reference_id":"GHSA-wg6p-jmpc-xjmr","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65674?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@1.15.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fxng-gzcx-jyfq"},{"vulnerability":"VCID-nwgc-2f7k-tkb2"},{"vulnerability":"VCID-rre5-kykz-pfg5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@1.15.0"}],"aliases":["CVE-2023-35926","GHSA-wg6p-jmpc-xjmr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1wux-ea8n-5ybq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41779?format=json","vulnerability_id":"VCID-92tf-v163-93cm","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nA malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker to control the contents of the injected file however, unless the template is also crafted in a specific way that gives control of the file contents.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43783","reference_id":"","reference_type":"","scores":[{"value":"0.00398","scoring_system":"epss","scoring_elements":"0.6091","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00398","scoring_system":"epss","scoring_elements":"0.60938","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00398","scoring_system":"epss","scoring_elements":"0.60955","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00398","scoring_system":"epss","scoring_elements":"0.60966","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00398","scoring_system":"epss","scoring_elements":"0.60958","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43783"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43783","reference_id":"CVE-2021-43783","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43783"},{"reference_url":"https://github.com/advisories/GHSA-mg3m-f475-28hv","reference_id":"GHSA-mg3m-f475-28hv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mg3m-f475-28hv"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv","reference_id":"GHSA-mg3m-f475-28hv","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59687?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@0.15.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wux-ea8n-5ybq"},{"vulnerability":"VCID-fxng-gzcx-jyfq"},{"vulnerability":"VCID-nwgc-2f7k-tkb2"},{"vulnerability":"VCID-rre5-kykz-pfg5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@0.15.14"}],"aliases":["CVE-2021-43783","GHSA-mg3m-f475-28hv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92tf-v163-93cm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41785?format=json","vulnerability_id":"VCID-avu7-ky4n-h7cw","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @backstage/plugin-scaffolder-backend.","references":[{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/advisories/GHSA-2g8g-63j4-9w3r","reference_id":"GHSA-2g8g-63j4-9w3r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2g8g-63j4-9w3r"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-2g8g-63j4-9w3r","reference_id":"GHSA-2g8g-63j4-9w3r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-2g8g-63j4-9w3r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59687?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@0.15.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wux-ea8n-5ybq"},{"vulnerability":"VCID-fxng-gzcx-jyfq"},{"vulnerability":"VCID-nwgc-2f7k-tkb2"},{"vulnerability":"VCID-rre5-kykz-pfg5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@0.15.14"}],"aliases":["GHSA-2g8g-63j4-9w3r","GMS-2021-21"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-avu7-ky4n-h7cw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50707?format=json","vulnerability_id":"VCID-fxng-gzcx-jyfq","summary":"@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass\nA malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.\n\nThe attack requires:\n- The ability to register a template in the catalog\n- A victim who executes the malicious template","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29184.json","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29184.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29184","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01086","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01093","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01091","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29184"},{"reference_url":"https://backstage.io/docs/overview/threat-model","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://backstage.io/docs/overview/threat-model"},{"reference_url":"https://backstage.io/docs/permissions/plugin-authors/01-setup","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://backstage.io/docs/permissions/plugin-authors/01-setup"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445468","reference_id":"2445468","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445468"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29184","reference_id":"CVE-2026-29184","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29184"},{"reference_url":"https://github.com/advisories/GHSA-8qp7-fhr9-fw53","reference_id":"GHSA-8qp7-fhr9-fw53","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8qp7-fhr9-fw53"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53","reference_id":"GHSA-8qp7-fhr9-fw53","reference_type":"","scores":[{"value":"2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:14:42Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74478?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-45jv-kaa2-fub8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.4"}],"aliases":["CVE-2026-29184","GHSA-8qp7-fhr9-fw53"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fxng-gzcx-jyfq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49787?format=json","vulnerability_id":"VCID-nwgc-2f7k-tkb2","summary":"Backstage has a Possible Symlink Path Traversal in Scaffolder Actions\nMultiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:\n\n1. **Read arbitrary files** via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets)\n2. **Delete arbitrary files** via the `fs:delete` action by creating symlinks pointing outside the workspace\n3. **Write files outside the workspace** via archive extraction (tar/zip) containing malicious symlinks\n\nThis affects any Backstage deployment where users can create or execute Scaffolder templates.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24046","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0632","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06383","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06374","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06366","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24046"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/"}],"url":"https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431878","reference_id":"2431878","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431878"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24046","reference_id":"CVE-2026-24046","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24046"},{"reference_url":"https://github.com/advisories/GHSA-rq6q-wr2q-7pgp","reference_id":"GHSA-rq6q-wr2q-7pgp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rq6q-wr2q-7pgp"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp","reference_id":"GHSA-rq6q-wr2q-7pgp","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6174","reference_id":"RHSA-2026:6174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6802","reference_id":"RHSA-2026:6802","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6802"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73528?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fxng-gzcx-jyfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/948652?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fxng-gzcx-jyfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.0.0-next.0"},{"url":"http://public2.vulnerablecode.io/api/packages/73529?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fxng-gzcx-jyfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/948656?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fxng-gzcx-jyfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.0-next.0"},{"url":"http://public2.vulnerablecode.io/api/packages/73530?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-45jv-kaa2-fub8"},{"vulnerability":"VCID-fxng-gzcx-jyfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.1"}],"aliases":["CVE-2026-24046","GHSA-rq6q-wr2q-7pgp"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nwgc-2f7k-tkb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57870?format=json","vulnerability_id":"VCID-rre5-kykz-pfg5","summary":"Template Secret leakage in logs in Scaffolder when using `fetch:template`\nA logging flaw in Backstage Scaffolder’s `fetch:template` action up to `@backstage/plugin-scaffolder-backend` **2.1.0** may write template secrets to logs. The action emitted a duplicate, pre-redaction copy of input parameters, so values provided via the `{{ secrets }}` bag could appear in local/server logs when the action ran. Exploitation requires use of the `secrets` argument and access to Scaffolder/build logs; integrity and availability are unaffected.\n\n*   **Fix:** upgrade to `2.1.1`, which removes the duplicate log path and ensures secrets are redacted.\n*   **Mitigation:** avoid passing `{{ secrets }}` to `fetch:template` if upgrade is not possible.\n\n> Open an issue in the [Backstage repository](https://github.com/backstage/backstage)\n>\n> Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55285.json","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55285.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55285","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17066","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16949","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17026","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17061","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55285"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T17:49:07Z/"}],"url":"https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2388819","reference_id":"2388819","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2388819"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55285","reference_id":"CVE-2025-55285","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55285"},{"reference_url":"https://github.com/advisories/GHSA-3x3q-ghcp-whf7","reference_id":"GHSA-3x3q-ghcp-whf7","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3x3q-ghcp-whf7"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7","reference_id":"GHSA-3x3q-ghcp-whf7","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T17:49:07Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86110?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fxng-gzcx-jyfq"},{"vulnerability":"VCID-nwgc-2f7k-tkb2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/843999?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fxng-gzcx-jyfq"},{"vulnerability":"VCID-nwgc-2f7k-tkb2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.2.0-next.0"}],"aliases":["CVE-2025-55285","GHSA-3x3q-ghcp-whf7"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rre5-kykz-pfg5"}],"fixing_vulnerabilities":[],"risk_score":"4.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@0.0.0-nightly-202162222215"}