Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40backstage/plugin-scaffolder-backend@1.8.0-next.2
Typenpm
Namespace@backstage
Nameplugin-scaffolder-backend
Version1.8.0-next.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.5
Latest_non_vulnerable_version3.1.5
Affected_by_vulnerabilities
0
url VCID-1v1x-ccrc-bqea
vulnerability_id VCID-1v1x-ccrc-bqea
summary @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55285.json
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55285.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55285
reference_id
reference_type
scores
0
value 0.00194
scoring_system epss
scoring_elements 0.41206
published_at 2026-06-11T12:55:00Z
1
value 0.00194
scoring_system epss
scoring_elements 0.41373
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55285
2
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55285
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55285
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2388819
reference_id 2388819
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2388819
5
reference_url https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e
reference_id c371f6fe12371de31dca537510e6653e287cdc2e
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T17:49:07Z/
url https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e
6
reference_url https://github.com/advisories/GHSA-3x3q-ghcp-whf7
reference_id GHSA-3x3q-ghcp-whf7
reference_type
scores
url https://github.com/advisories/GHSA-3x3q-ghcp-whf7
7
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7
reference_id GHSA-3x3q-ghcp-whf7
reference_type
scores
0
value 2.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T17:49:07Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7
fixed_packages
0
url pkg:npm/%40backstage/plugin-scaffolder-backend@2.1.1
purl pkg:npm/%40backstage/plugin-scaffolder-backend@2.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4qeh-pyrt-zfat
1
vulnerability VCID-t9gj-dq52-a3a3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.1.1
1
url pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.0-next.0
purl pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.0-next.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4qeh-pyrt-zfat
1
vulnerability VCID-t9gj-dq52-a3a3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.2.0-next.0
aliases CVE-2025-55285, GHSA-3x3q-ghcp-whf7
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1v1x-ccrc-bqea
1
url VCID-4qeh-pyrt-zfat
vulnerability_id VCID-4qeh-pyrt-zfat
summary Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29184.json
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29184.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29184
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01086
published_at 2026-06-11T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01084
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29184
2
reference_url https://backstage.io/docs/overview/threat-model
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://backstage.io/docs/overview/threat-model
3
reference_url https://backstage.io/docs/permissions/plugin-authors/01-setup
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://backstage.io/docs/permissions/plugin-authors/01-setup
4
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2445468
reference_id 2445468
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2445468
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29184
reference_id CVE-2026-29184
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29184
7
reference_url https://github.com/advisories/GHSA-8qp7-fhr9-fw53
reference_id GHSA-8qp7-fhr9-fw53
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8qp7-fhr9-fw53
8
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53
reference_id GHSA-8qp7-fhr9-fw53
reference_type
scores
0
value 2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
2
value LOW
scoring_system cvssv3.1_qr
scoring_elements
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:14:42Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53
fixed_packages
0
url pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.4
purl pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-v5gp-72r8-3yd4
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.4
aliases CVE-2026-29184, GHSA-8qp7-fhr9-fw53
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4qeh-pyrt-zfat
2
url VCID-kn33-aucx-bucn
vulnerability_id VCID-kn33-aucx-bucn
summary Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-35926
reference_id
reference_type
scores
0
value 0.09147
scoring_system epss
scoring_elements 0.92866
published_at 2026-06-11T12:55:00Z
1
value 0.09147
scoring_system epss
scoring_elements 0.92889
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-35926
1
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-35926
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-35926
3
reference_url https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a
reference_id fb7375507d56faedcb7bb3665480070593c8949a
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/
url https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a
4
reference_url https://github.com/advisories/GHSA-wg6p-jmpc-xjmr
reference_id GHSA-wg6p-jmpc-xjmr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wg6p-jmpc-xjmr
5
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr
reference_id GHSA-wg6p-jmpc-xjmr
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr
6
reference_url https://github.com/backstage/backstage/releases/tag/v1.15.0
reference_id v1.15.0
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-05T17:47:53Z/
url https://github.com/backstage/backstage/releases/tag/v1.15.0
fixed_packages
0
url pkg:npm/%40backstage/plugin-scaffolder-backend@1.15.0
purl pkg:npm/%40backstage/plugin-scaffolder-backend@1.15.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1v1x-ccrc-bqea
1
vulnerability VCID-4qeh-pyrt-zfat
2
vulnerability VCID-t9gj-dq52-a3a3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@1.15.0
aliases CVE-2023-35926, GHSA-wg6p-jmpc-xjmr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kn33-aucx-bucn
3
url VCID-t9gj-dq52-a3a3
vulnerability_id VCID-t9gj-dq52-a3a3
summary Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24046
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.06376
published_at 2026-06-12T12:55:00Z
1
value 0.00022
scoring_system epss
scoring_elements 0.06357
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24046
2
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2431878
reference_id 2431878
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2431878
4
reference_url https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
reference_id c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/
url https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24046
reference_id CVE-2026-24046
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24046
6
reference_url https://github.com/advisories/GHSA-rq6q-wr2q-7pgp
reference_id GHSA-rq6q-wr2q-7pgp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rq6q-wr2q-7pgp
7
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
reference_id GHSA-rq6q-wr2q-7pgp
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
8
reference_url https://access.redhat.com/errata/RHSA-2026:6174
reference_id RHSA-2026:6174
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6174
9
reference_url https://access.redhat.com/errata/RHSA-2026:6802
reference_id RHSA-2026:6802
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6802
fixed_packages
0
url pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.2
purl pkg:npm/%40backstage/plugin-scaffolder-backend@2.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4qeh-pyrt-zfat
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@2.2.2
1
url pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.0-next.0
purl pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.0-next.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4qeh-pyrt-zfat
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.0.0-next.0
2
url pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.2
purl pkg:npm/%40backstage/plugin-scaffolder-backend@3.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4qeh-pyrt-zfat
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.0.2
3
url pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.0-next.0
purl pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.0-next.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4qeh-pyrt-zfat
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.0-next.0
4
url pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.1
purl pkg:npm/%40backstage/plugin-scaffolder-backend@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4qeh-pyrt-zfat
1
vulnerability VCID-v5gp-72r8-3yd4
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@3.1.1
aliases CVE-2026-24046, GHSA-rq6q-wr2q-7pgp
risk_score 4.1
exploitability 0.5
weighted_severity 8.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gj-dq52-a3a3
Fixing_vulnerabilities
Risk_score4.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-backend@1.8.0-next.2