hoppscotch 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk cross-site scripting and vendor risk open redirect などに関し、一部は vendor impact session compromise を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-34932 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0. | [email protected] | 8.5 | 0.29% | 2026-04-02 | 2026-04-15 |
| CVE-2026-34931 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0. | [email protected] | 8.5 | 0.37% | 2026-04-02 | 2026-04-15 |
| CVE-2026-34848 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0. | [email protected] | 5.4 | 0.14% | 2026-04-02 | 2026-04-15 |
| CVE-2026-34847 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0. | [email protected] | 4.7 | 0.38% | 2026-04-02 | 2026-04-15 |
| CVE-2026-30825 | hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1. | [email protected] | 0.0 | 0.22% | 2026-03-07 | 2026-03-11 |
| CVE-2026-28217 | hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that ex | [email protected] | 6.5 | 0.37% | 2026-02-26 | 2026-02-27 |
| CVE-2026-28216 | hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any owner | [email protected] | 8.3 | 0.39% | 2026-02-26 | 2026-02-27 |
| CVE-2026-28215 | hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to r | [email protected] | 9.1 | 0.46% | 2026-02-26 | 2026-02-27 |
| CVE-2024-27092 | Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6. | [email protected] | 5.4 | 0.61% | 2024-02-29 | 2025-04-01 |
| CVE-2023-34097 | hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 7.8 | 0.68% | 2023-06-05 | 2024-11-21 |
| CVE-2022-0121 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoppscotch hoppscotch/hoppscotch.This issue affects hoppscotch/hoppscotch before 2.1.1. | [email protected] | 8.0 | 1.20% | 2022-01-06 | 2026-02-24 |