Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40backstage/plugin-scaffolder-node@0.6.1
Typenpm
Namespace@backstage
Nameplugin-scaffolder-node
Version0.6.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.11.2
Latest_non_vulnerable_version0.12.3
Affected_by_vulnerabilities
0
url VCID-nwgc-2f7k-tkb2
vulnerability_id VCID-nwgc-2f7k-tkb2
summary 
Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

1. **Read arbitrary files** via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets)
2. **Delete arbitrary files** via the `fs:delete` action by creating symlinks pointing outside the workspace
3. **Write files outside the workspace** via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24046
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.06327
published_at 2026-06-09T12:55:00Z
1
value 0.00022
scoring_system epss
scoring_elements 0.06383
published_at 2026-06-05T12:55:00Z
2
value 0.00022
scoring_system epss
scoring_elements 0.06374
published_at 2026-06-06T12:55:00Z
3
value 0.00022
scoring_system epss
scoring_elements 0.06366
published_at 2026-06-07T12:55:00Z
4
value 0.00022
scoring_system epss
scoring_elements 0.0632
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24046
2
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
3
reference_url https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/
url https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2431878
reference_id 2431878
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2431878
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24046
reference_id CVE-2026-24046
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24046
6
reference_url https://github.com/advisories/GHSA-rq6q-wr2q-7pgp
reference_id GHSA-rq6q-wr2q-7pgp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rq6q-wr2q-7pgp
7
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
reference_id GHSA-rq6q-wr2q-7pgp
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
8
reference_url https://access.redhat.com/errata/RHSA-2026:6174
reference_id RHSA-2026:6174
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6174
9
reference_url https://access.redhat.com/errata/RHSA-2026:6802
reference_id RHSA-2026:6802
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6802
fixed_packages
0
url pkg:npm/%40backstage/plugin-scaffolder-node@0.11.2
purl pkg:npm/%40backstage/plugin-scaffolder-node@0.11.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-node@0.11.2
1
url pkg:npm/%40backstage/plugin-scaffolder-node@0.12.0-next.0
purl pkg:npm/%40backstage/plugin-scaffolder-node@0.12.0-next.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-node@0.12.0-next.0
2
url pkg:npm/%40backstage/plugin-scaffolder-node@0.12.3
purl pkg:npm/%40backstage/plugin-scaffolder-node@0.12.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-node@0.12.3
aliases CVE-2026-24046, GHSA-rq6q-wr2q-7pgp
risk_score 4.1
exploitability 0.5
weighted_severity 8.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nwgc-2f7k-tkb2
Fixing_vulnerabilities
0
url VCID-nvqu-h7kb-9fcg
vulnerability_id VCID-nvqu-h7kb-9fcg
summary 
Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery
A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploited to perform Git config injection. The vulnerability allows an attacker to capture privileged git tokens used by the Backstage Scaffolder plugin. With these tokens, unauthorized access to sensitive resources in git can be achieved. The impact is considered medium severity as the Backstage Threat Model recommends restricting access to adding and editing templates in the Backstage Catalog plugin.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53983
reference_id
reference_type
scores
0
value 0.00153
scoring_system epss
scoring_elements 0.35748
published_at 2026-06-05T12:55:00Z
1
value 0.00153
scoring_system epss
scoring_elements 0.35695
published_at 2026-06-09T12:55:00Z
2
value 0.00153
scoring_system epss
scoring_elements 0.3568
published_at 2026-06-08T12:55:00Z
3
value 0.00153
scoring_system epss
scoring_elements 0.35719
published_at 2026-06-07T12:55:00Z
4
value 0.00153
scoring_system epss
scoring_elements 0.35759
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53983
1
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
1
value 4.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
2
reference_url https://github.com/backstage/backstage/tree/master/plugins/scaffolder-node
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
1
value 4.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T22:15:55Z/
url https://github.com/backstage/backstage/tree/master/plugins/scaffolder-node
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53983
reference_id CVE-2024-53983
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
1
value 4.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53983
4
reference_url https://github.com/advisories/GHSA-qmc2-jpr5-7rg9
reference_id GHSA-qmc2-jpr5-7rg9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qmc2-jpr5-7rg9
5
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-qmc2-jpr5-7rg9
reference_id GHSA-qmc2-jpr5-7rg9
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 4.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T22:15:55Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-qmc2-jpr5-7rg9
fixed_packages
0
url pkg:npm/%40backstage/plugin-scaffolder-node@0.4.12
purl pkg:npm/%40backstage/plugin-scaffolder-node@0.4.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-nwgc-2f7k-tkb2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-node@0.4.12
1
url pkg:npm/%40backstage/plugin-scaffolder-node@0.5.1
purl pkg:npm/%40backstage/plugin-scaffolder-node@0.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-nwgc-2f7k-tkb2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-node@0.5.1
2
url pkg:npm/%40backstage/plugin-scaffolder-node@0.6.1
purl pkg:npm/%40backstage/plugin-scaffolder-node@0.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-nwgc-2f7k-tkb2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-node@0.6.1
aliases CVE-2024-53983, GHSA-qmc2-jpr5-7rg9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nvqu-h7kb-9fcg
Risk_score4.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-scaffolder-node@0.6.1