CVE-2026-44374EPSS p6.0%

CVE-2026-44374CVE-2026-44374

linuxfoundation / backstage\/plugin-catalog-backend-module-unprocessed

Description

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30.

Scoring

CVSS 4.3 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS0.17% probability of exploitation · percentile 6.0% · 2026-06-19T12:03:05Z
Last modified2026-06-01

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-29186
CVE
CVE-2026-47352
CVE
CVE-2026-47349
CVE
CVE-2026-25153
CVE
CVE-2026-47343
CVE
CVE-2026-47351
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.