@backstage/plugin-scaffolder-backend (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @backstage/plugin-scaffolder-backend, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2021-43783 — CVSS 8.5 (high): @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor…
CVE-2023-35926 — CVSS 8.0 (high): Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that…
CVE-2026-24046 — CVSS 7.1 (high): Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable…
CVE-2021-41151 — CVSS 6.8 (medium): Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the…
CVE-2026-32237 — CVSS 4.4 (medium): Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder…
CVE-2025-55285 — CVSS 2.6 (low): @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging…
CVE-2026-29184 — CVSS 2.0 (low): Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log…