cbcvebase.

Hoppscotch vulnerabilities

12 known vulnerabilities affecting hoppscotch/hoppscotch.

Total CVEs
12
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH4MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2026-28215P2CRITICALCVSS 9.1fixed in 2026.2.0v>= 2025.7.0, < 2026.4.02026-02-26
CVE-2026-28215 [CRITICAL] CWE-284 CVE-2026-28215: hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticate hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboardi
nvd
CVE-2026-34847P3MEDIUMCVSS 6.1PoCfixed in 2026.3.02026-04-02
CVE-2026-34847 [MEDIUM] CWE-601 CVE-2026-34847: hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page c hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0.
nvd
CVE-2023-34097P3HIGHCVSS 8.8fixed in 2023.4.52023-06-05
CVE-2023-34097 [HIGH] CWE-532 CVE-2023-34097: hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database p hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for th
nvd
CVE-2026-34931P3CRITICALCVSS 9.6fixed in 2026.3.02026-04-02
CVE-2026-34931 [CRITICAL] CWE-601 CVE-2026-34931: hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0.
nvd
CVE-2026-28216P3HIGHCVSS 8.3fixed in 2026.2.02026-02-26
CVE-2026-28216 [HIGH] CWE-639 CVE-2026-28216: hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in use hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is n
nvd
CVE-2026-34932P3CRITICALCVSS 9.3fixed in 2026.3.02026-04-02
CVE-2026-34932 [CRITICAL] CWE-79 CVE-2026-34932: hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0.
nvd
CVE-2024-34347P3HIGHCVSS 8.3v>= 0.5.0, < 0.8.02024-05-08
CVE-2024-34347 [HIGH] CWE-77 CVE-2024-34347: @hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hop @hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any re
nvd
CVE-2026-28217P3MEDIUMCVSS 6.5fixed in 2026.2.02026-02-26
CVE-2026-28217 [MEDIUM] CWE-862 CVE-2026-28217: hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollecti hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verif
nvd
CVE-2026-30825P3MEDIUMCVSS 6.5fixed in 2026.2.12026-03-07
CVE-2026-30825 [MEDIUM] CWE-639 CVE-2026-30825: hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/ac hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.
nvd
CVE-2022-0121P3HIGHCVSS 8.0≤ 2.1.02022-01-06
CVE-2022-0121 [HIGH] CWE-79 CVE-2022-0121: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoppscotch hoppscotch/hoppscotch.This issue affects hoppscotch/hoppscotch before 2.1.1.
nvd
CVE-2024-27092P4MEDIUMCVSS 5.4fixed in 2023.12.62024-02-29
CVE-2024-27092 [MEDIUM] CWE-20 CVE-2024-27092: Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit T Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6.
nvd
CVE-2026-34848P4MEDIUMCVSS 5.4fixed in 2026.3.02026-04-02
CVE-2026-34848 [MEDIUM] CWE-79 CVE-2026-34848: hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0.
nvd
Hoppscotch vulnerabilities | cvebase