CVE-2021-41151
6.8 MEDIUMBackstage is an open platform for building developer portals
Published: 2021-10-18 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 6.8 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
- CWE
- CWE-22
Affected products
| Vendor | Product |
|---|---|
| linuxfoundation | backstage |
Description
Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request` action and a particular source path. When the template is executed the sensitive files would be included in the published pull request. This vulnerability is mitigated by the fact that an attacker would need access to create and register templates in the Backstage catalog, and that the attack is very visible given that the exfiltration happens via a pull request. The vulnerability is patched in the `0.15.9` release of `@backstage/plugin-scaffolder-backend`.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41151
- [Patch]https://github.com/backstage/backstage/commit/6968962c920508eae19a4c1c200fa2c8980a4006
- [Other]https://github.com/backstage/backstage/security/advisories/GHSA-pvv8-8fx9-h673
- [Patch]https://github.com/backstage/backstage/commit/6968962c920508eae19a4c1c200fa2c8980a4006
- [Other]https://github.com/backstage/backstage/security/advisories/GHSA-pvv8-8fx9-h673
Related CVEs
Same vendor
- CVE-2026-44477 — CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments (9.9 CRITICAL)
- CVE-2026-44247 — Volcano is a Kubernetes-native batch scheduling system (6.8 MEDIUM)
- CVE-2026-44374 — Backstage is an open framework for building developer portals (4.3 MEDIUM)
- CVE-2026-45321 — On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm ... (9.6 CRITICAL)
- CVE-2026-37531 — AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-... (9.8 CRITICAL)
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)