Aggregates CVE and security vulnerability intelligence across all hoppscotch-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk open redirect and related security problems, affecting vendor surface software deployment and vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-34932 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0. | [email protected] | 8.5 | 0.04% | 2026-04-02 | 2026-04-15 |
| CVE-2026-34931 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0. | [email protected] | 8.5 | 0.04% | 2026-04-02 | 2026-04-15 |
| CVE-2026-34848 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0. | [email protected] | 5.4 | 0.03% | 2026-04-02 | 2026-04-15 |
| CVE-2026-34847 | hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0. | [email protected] | 4.7 | 0.38% | 2026-04-02 | 2026-04-15 |
| CVE-2026-30825 | hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1. | [email protected] | 0.0 | 0.03% | 2026-03-07 | 2026-03-11 |
| CVE-2026-28217 | hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that ex | [email protected] | 6.5 | 0.03% | 2026-02-26 | 2026-02-27 |
| CVE-2026-28216 | hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any owner | [email protected] | 8.3 | 0.04% | 2026-02-26 | 2026-02-27 |
| CVE-2026-28215 | hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to r | [email protected] | 9.1 | 0.28% | 2026-02-26 | 2026-02-27 |
| CVE-2024-27092 | Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6. | [email protected] | 5.4 | 0.22% | 2024-02-29 | 2025-04-01 |
| CVE-2023-34097 | hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 7.8 | 0.32% | 2023-06-05 | 2024-11-21 |
| CVE-2022-0121 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoppscotch hoppscotch/hoppscotch.This issue affects hoppscotch/hoppscotch before 2.1.1. | [email protected] | 8.0 | 0.36% | 2022-01-06 | 2026-02-24 |