CVE-2026-29186CRITICAL 9.8EPSS p37.3%

CVE-2026-29186CVE-2026-29186

Description

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.3% · 2026-06-19T12:03:05Z
Published2026-03-07
Last modified2026-03-11

Underlying weaknesses· 2

CWE-74CWE-434

References

  1. https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw

2

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-740%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25153
CVE
CVE-2026-44374
CVE
CVE-2026-25115
CVE
CVE-2026-36576
CVE
CVE-2026-27130
CVE
CVE-2026-26015
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.