VYPR

Hoppscotch

by Hoppscotch

Source repositories

CVEs (13)

  • CVE-2026-34931CriApr 2, 2026
    risk 0.55cvss 9.6epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in…

  • CVE-2026-34932CriApr 2, 2026
    risk 0.53cvss 9.3epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0.

  • CVE-2024-34347HigMay 8, 2024
    risk 0.47cvss 8.3epss 0.01

    @hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is…

  • CVE-2026-44478HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET…

  • CVE-2026-34848MedApr 2, 2026
    risk 0.28cvss 5.4epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0.

  • CVE-2026-34847MedApr 2, 2026
    risk 0.24cvss 4.7epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has…

  • CVE-2026-30825Mar 7, 2026
    risk 0.00cvss epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in…

  • CVE-2026-28217Feb 26, 2026
    risk 0.00cvss epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with…

  • CVE-2026-28216Feb 26, 2026
    risk 0.00cvss epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)`…

  • CVE-2026-28215Feb 26, 2026
    risk 0.00cvss epss 0.00

    hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single…

  • CVE-2024-27092Feb 26, 2024
    risk 0.00cvss epss 0.01

    Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by…

  • CVE-2023-34097Jun 5, 2023
    risk 0.00cvss epss 0.01

    hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the…

  • CVE-2022-0121Jan 6, 2022
    risk 0.00cvss epss 0.01

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoppscotch hoppscotch/hoppscotch.This issue affects hoppscotch/hoppscotch before 2.1.1.