3 matches found
CVE-2026-47828
During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network...
CVE-2026-28216 hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. user-environments.resolver.ts:82-109, updateUserEnvironment mutation uses @UseGuardsGqlAuthGuard but is missing the @GqlUser...
CVE-2026-28216
CVE-2026-28216 affects Hoppscotch before 2026.2.0. The issue is an improper authorization check in the user environments flow: the updateUserEnvironment mutation uses GqlAuthGuard but lacks a @GqlUser() decorator, so the service can process only the environment ID (no ownership filter) and execut...