{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-14T08:28:39.478","vulnerabilities":[{"cve":{"id":"CVE-2026-24046","sourceIdentifier":"security-advisories@github.com","published":"2026-01-21T23:15:53.240","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access."},{"lang":"es","value":"Backstage es un framework abierto para construir portales de desarrolladores. Múltiples acciones de Scaffolder y utilidades de extracción de archivos eran vulnerables a ataques de salto de ruta basados en symlinks. Un atacante con acceso para crear y ejecutar plantillas de Scaffolder podría explotar symlinks para leer archivos arbitrarios a través de la acción debug:log creando un symlink que apunte a archivos sensibles (p. ej., /etc /passwd, archivos de configuración, secretos); eliminar archivos arbitrarios a través de la acción fs:delete creando symlinks que apunten fuera del espacio de trabajo, y escribir archivos fuera del espacio de trabajo a través de la extracción de archivos (tar/zip) que contengan symlinks maliciosos. Esto afecta a cualquier implementación de Backstage donde los usuarios puedan crear o ejecutar plantillas de Scaffolder. Esta vulnerabilidad está corregida en las versiones 0.12.2, 0.13.2, 0.14.1 y 0.15.0 de @backstage/backend-defaults; las versiones 2.2.2, 3.0.2 y 3.1.1 de @backstage/plugin-scaffolder-backend; y las versiones 0.11.2 y 0.12.3 de @backstage/plugin-scaffolder-node. Los usuarios deben actualizar a estas versiones o posteriores. Hay algunas soluciones alternativas disponibles. Siga la recomendación en el Modelo de Amenazas de Backstage para limitar el acceso a la creación y actualización de plantillas, restringir quién puede crear y ejecutar plantillas de Scaffolder utilizando el framework de permisos, auditar las plantillas existentes en busca de uso de symlinks, y/o ejecutar Backstage en un entorno en contenedores con acceso limitado al sistema de archivos."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":1.8,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-59"}]}],"references":[{"url":"https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d","source":"security-advisories@github.com"},{"url":"https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp","source":"security-advisories@github.com"}]}}]}