VulnerableCode Package Details - pkg:npm/%40backstage/plugin-techdocs-node@1.14.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-f9zu-z698-tyca Aliases: CVE-2026-25153 GHSA-6jr7-99pf-8vgf	@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks When TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration.	1.14.1 Affected by 0 other vulnerabilities.
VCID-y8ht-zmnx-3fdd Aliases: CVE-2026-25152 GHSA-w669-jj7h-88m9	@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator A path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation.	1.14.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-f9zu-z698-tyca
Aliases:
CVE-2026-25153
GHSA-6jr7-99pf-8vgf

@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks When TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration.

1.14.1
Affected by 0 other vulnerabilities.

VCID-y8ht-zmnx-3fdd
Aliases:
CVE-2026-25152
GHSA-w669-jj7h-88m9

@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator A path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation.

1.14.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T10:53:37.812023+00:00	GithubOSV Importer	Affected by	VCID-f9zu-z698-tyca	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-6jr7-99pf-8vgf/GHSA-6jr7-99pf-8vgf.json	38.6.0
2026-05-31T10:53:34.262002+00:00	GithubOSV Importer	Affected by	VCID-y8ht-zmnx-3fdd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-w669-jj7h-88m9/GHSA-w669-jj7h-88m9.json	38.6.0
2026-05-31T01:07:05.040164+00:00	GHSA Importer	Affected by	VCID-f9zu-z698-tyca	https://github.com/advisories/GHSA-6jr7-99pf-8vgf	38.6.0
2026-05-31T01:07:04.468850+00:00	GHSA Importer	Affected by	VCID-y8ht-zmnx-3fdd	https://github.com/advisories/GHSA-w669-jj7h-88m9	38.6.0
2026-05-30T21:06:13.480827+00:00	GitLab Importer	Affected by	VCID-f9zu-z698-tyca	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@backstage/plugin-techdocs-node/CVE-2026-25153.yml	38.6.0
2026-05-30T21:06:13.337346+00:00	GitLab Importer	Affected by	VCID-y8ht-zmnx-3fdd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@backstage/plugin-techdocs-node/CVE-2026-25152.yml	38.6.0