{"url":"http://public2.vulnerablecode.io/api/packages/634474?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@1.2.0","type":"npm","namespace":"@backstage","name":"plugin-scaffolder-backend","version":"1.2.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.5","latest_non_vulnerable_version":"3.1.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121486?format=json","vulnerability_id":"VCID-1v1x-ccrc-bqea","summary":"@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55285.json","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55285.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55285","reference_id":"","reference_type":"","scores":[{"value":"0.00194","scoring_system":"epss","scoring_elements":"0.41206","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00194","scoring_system":"epss","scoring_elements":"0.41373","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55285"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55285","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55285"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2388819","reference_id":"2388819","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2388819"},{"reference_url":"https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e","reference_id":"c371f6fe12371de31dca537510e6653e287cdc2e","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T17:49:07Z/"}],"url":"https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e"},{"reference_url":"https://github.com/advisories/GHSA-3x3q-ghcp-whf7","reference_id":"GHSA-3x3q-ghcp-whf7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3x3q-ghcp-whf7"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7","reference_id":"GHSA-3x3q-ghcp-whf7","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T17:49:07Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377757?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4qeh-pyrt-zfat"},{"vulnerability":"VCID-t9gj-dq52-a3a3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/824719?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4qeh-pyrt-zfat"},{"vulnerability":"VCID-t9gj-dq52-a3a3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.2.0-next.0"}],"aliases":["CVE-2025-55285","GHSA-3x3q-ghcp-whf7"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1v1x-ccrc-bqea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74130?format=json","vulnerability_id":"VCID-4qeh-pyrt-zfat","summary":"Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29184.json","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29184.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29184","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01086","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01084","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29184"},{"reference_url":"https://backstage.io/docs/overview/threat-model","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://backstage.io/docs/overview/threat-model"},{"reference_url":"https://backstage.io/docs/permissions/plugin-authors/01-setup","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://backstage.io/docs/permissions/plugin-authors/01-setup"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445468","reference_id":"2445468","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445468"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29184","reference_id":"CVE-2026-29184","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29184"},{"reference_url":"https://github.com/advisories/GHSA-8qp7-fhr9-fw53","reference_id":"GHSA-8qp7-fhr9-fw53","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8qp7-fhr9-fw53"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53","reference_id":"GHSA-8qp7-fhr9-fw53","reference_type":"","scores":[{"value":"2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:14:42Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40227?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v5gp-72r8-3yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.4"}],"aliases":["CVE-2026-29184","GHSA-8qp7-fhr9-fw53"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4qeh-pyrt-zfat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/137887?format=json","vulnerability_id":"VCID-kn33-aucx-bucn","summary":"Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities  that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-35926","reference_id":"","reference_type":"","scores":[{"value":"0.09147","scoring_system":"epss","scoring_elements":"0.92866","published_at":"2026-06-11T12:55:00Z"},{"value":"0.09147","scoring_system":"epss","scoring_elements":"0.92889","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-35926"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35926","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35926"},{"reference_url":"https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a","reference_id":"fb7375507d56faedcb7bb3665480070593c8949a","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"},{"reference_url":"https://github.com/advisories/GHSA-wg6p-jmpc-xjmr","reference_id":"GHSA-wg6p-jmpc-xjmr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wg6p-jmpc-xjmr"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr","reference_id":"GHSA-wg6p-jmpc-xjmr","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"},{"reference_url":"https://github.com/backstage/backstage/releases/tag/v1.15.0","reference_id":"v1.15.0","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/"}],"url":"https://github.com/backstage/backstage/releases/tag/v1.15.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381894?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@1.15.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1v1x-ccrc-bqea"},{"vulnerability":"VCID-4qeh-pyrt-zfat"},{"vulnerability":"VCID-t9gj-dq52-a3a3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@1.15.0"}],"aliases":["CVE-2023-35926","GHSA-wg6p-jmpc-xjmr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kn33-aucx-bucn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83184?format=json","vulnerability_id":"VCID-t9gj-dq52-a3a3","summary":"Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24046","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06376","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06357","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24046"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431878","reference_id":"2431878","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431878"},{"reference_url":"https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d","reference_id":"c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/"}],"url":"https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24046","reference_id":"CVE-2026-24046","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24046"},{"reference_url":"https://github.com/advisories/GHSA-rq6q-wr2q-7pgp","reference_id":"GHSA-rq6q-wr2q-7pgp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rq6q-wr2q-7pgp"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp","reference_id":"GHSA-rq6q-wr2q-7pgp","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6174","reference_id":"RHSA-2026:6174","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6174"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6802","reference_id":"RHSA-2026:6802","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6802"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38044?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4qeh-pyrt-zfat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/930018?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4qeh-pyrt-zfat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.0.0-next.0"},{"url":"http://public2.vulnerablecode.io/api/packages/38051?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4qeh-pyrt-zfat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/930022?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.0-next.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4qeh-pyrt-zfat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.0-next.0"},{"url":"http://public2.vulnerablecode.io/api/packages/38059?format=json","purl":"pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4qeh-pyrt-zfat"},{"vulnerability":"VCID-v5gp-72r8-3yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.1"}],"aliases":["CVE-2026-24046","GHSA-rq6q-wr2q-7pgp"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gj-dq52-a3a3"}],"fixing_vulnerabilities":[],"risk_score":"4.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@1.2.0"}