Developer Tools

In ZITADEL versions 4.0.0 to 4.11.1 a critical severity vulnerability CVE-2026-29191 was detected. This vulnerability allows attackers to perform a cross-site scripting (XSS) attack in the /saml-post endpoint of the Login V2 interface, potentially enabling a 1-click account takeover. To address this issue, users should upgrade ZITADEL to version 4.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29191.

In @backstage/plugin-techdocs-node versions prior to 1.14.3 a high severity vulnerability CVE-2026-29186 was detected. This vulnerability allows attackers to execute arbitrary Python code by crafting a malicious mkdocs.yml file that bypasses the plugin’s allowlist for dangerous configuration keys during the TechDocs build process. To address this issue, users should upgrade @backstage/plugin-techdocs-node to version 1.14.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29186.

In @backstage/integration versions prior to 1.20.1 a low severity vulnerability CVE-2026-29185 was detected. This vulnerability allows attackers to include encoded path traversal sequences in SCM URLs, potentially causing integration functions to redirect requests to unintended SCM provider API endpoints using server-side integration credentials. To address this issue, users should upgrade @backstage/integration to version 1.20.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29185.

In @backstage/plugin-scaffolder-backend versions prior to 3.1.4 a low severity vulnerability CVE-2026-29184 was detected. This vulnerability allows a malicious scaffolder template to bypass the log redaction mechanism and exfiltrate secrets provided during task execution through event logs. To address this issue, users should upgrade @backstage/plugin-scaffolder-backend to version 3.1.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29184.

In Gogs versions prior to 0.14.2 a high severity vulnerability CVE-2026-26022 was detected. This vulnerability allows authenticated attackers to inject and execute arbitrary JavaScript via data URI schemes in issue comments or descriptions, due to insufficient sanitization. To address this issue, users should upgrade Gogs to version 0.14.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26022.

In Gogs versions prior to 0.14.2 a critical severity vulnerability CVE-2026-25921 was detected. This vulnerability allows attackers to maliciously overwrite Git LFS objects across different repositories due to missing content hash verification, potentially enabling supply-chain attacks. To address this issue, users should upgrade Gogs to version 0.14.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25921.

In Gogs versions prior to 0.14.2 a medium severity vulnerability CVE-2026-26196 was detected. This vulnerability allows attackers to obtain access tokens because the API accepts tokens in URL parameters such as `token` and `access_token`, which can be exposed through logs, browser history, or referrers. To address this issue, users should upgrade Gogs to version 0.14.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26196.

In Gogs versions prior to 0.14.2 a medium severity vulnerability CVE-2026-26195 was detected. This vulnerability allows attackers to perform Stored Cross-Site Scripting (XSS) through author and committer names in branch and wiki views due to unsafe template rendering combined with permissive sanitizer handling of data URLs. To address this issue, users should upgrade Gogs to version 0.14.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26195.

In Gogs versions prior to 0.14.2 a high severity vulnerability CVE-2026-26194 was detected. This vulnerability allows attackers to inject arbitrary Git options when deleting a release if a user-controlled tag name is passed without proper sanitization, potentially manipulating the release deletion process. To address this issue, users should upgrade Gogs to version 0.14.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26194.