CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

CVE-2026-25613

An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index...