Linuxfoundation Backstage — known CVE vulnerabilities
Every CVE whose affected-product data names Linuxfoundation Backstage, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (12)
CVE-2021-43783 — CVSS 8.5 (high): @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor…
CVE-2023-35926 — CVSS 8.0 (high): Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that…
CVE-2026-25153 — CVSS 7.7 (high): Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities…
CVE-2026-32236 — CVSS 7.5 (high): Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists…
CVE-2021-41151 — CVSS 6.8 (medium): Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the…
CVE-2024-45816 — CVSS 6.5 (medium): Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to…
CVE-2024-45815 — CVSS 6.5 (medium): Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the…
CVE-2021-32662 — CVSS 6.5 (medium): Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs…
CVE-2024-46976 — CVSS 6.5 (medium): Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is…
CVE-2026-32235 — CVSS 5.9 (medium): Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-bac…
CVE-2023-6944 — CVSS 5.7 (medium): A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the…
CVE-2026-25152 — CVSS 5.3 (medium): Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities…