CVE-2026-25153: @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks
When TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository’s mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-25153 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →