Lucene search
K

116 matches found

Nuclei
Nuclei
added 10 hours ago11 views

Hoppscotch <= 2026.2.1 - Open Redirect

Hoppscotch = 2026.2.1 is vulnerable to a DOM-based open redirect on the /enter page. The redirect query parameter is passed directly to windowz location.href with no origin validation. Requires one additional query parameter to trigger. Exploited via a crafted URL such as...

6.1CVSS6.1AI score0.00401EPSS
Exploits1References2
NVD
NVD
added 4 days ago9 views

CVE-2026-59720

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without...

7.5CVSS0.00336EPSS
Exploits0References4
NVD
NVD
added 4 days ago9 views

CVE-2026-59721

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILERSMTPURL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into...

7.2CVSS0.00518EPSS
Exploits0References4
CVE
CVE
added 4 days ago10 views

CVE-2026-59720

Hoppscotch’s Mock API exposes private collection data due to a desync: mock-server.service.ts does not persist the isPublic input, while schema.prisma defaults isPublic to true, making mock servers linked to private collections publicly accessible without authentication. The vulnerability affects...

7.5CVSS5.9AI score0.00336EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-59720 Hoppscotch: Insecure Default Configuration Allows Public Exposure of Private Collection Data via Mock Server

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without...

7.5CVSS0.00336EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-59721 Hoppscotch: Admin RCE via MAILER_SMTP_URL nodemailer sendmail-transport injection

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILERSMTPURL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into...

7.2CVSS0.00518EPSS
Exploits0References4
CVE
CVE
added 4 days ago14 views

CVE-2026-59721

Hoppscotch (open source API development ecosystem) contains a Rooted Command Execution risk before version 2026.6.0 due to the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepting an attacker-controlled MAILER_SMTP_URL. The validateSMTPUrl in utils.ts permits path, query, or f...

7.2CVSS6.2AI score0.00518EPSS
Exploits0References4
NVD
NVD
added 2026/07/01 7:16 p.m.7 views

CVE-2026-50160

Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extr...

10CVSS0.0059EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.22 views

PT-2026-51653

Name of the Vulnerable Software and Affected Versions Hoppscotch affected versions not specified Description Four independent weaknesses allow an unauthenticated request to lead to full server compromise. Recommendations At the moment, there is no information about a newer version that contains a...

10CVSS5.9AI score0.0059EPSS
Exploits1References12
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.10 views

CVE-2026-44478

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config sti...

7.5CVSS5.8AI score0.0024EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/13 9:47 p.m.35 views

CVE-2026-44478 hoppscotch: Unauthenticated Onboarding Config Disclosure via Empty Recovery Token

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config sti...

7.5CVSS0.0024EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/13 9:47 p.m.15 views

EUVD-2026-30201

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config sti...

9.1CVSS5.8AI score0.00455EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/13 9:47 p.m.9 views

CVE-2026-44478 hoppscotch: Unauthenticated Onboarding Config Disclosure via Empty Recovery Token

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config sti...

7.5CVSS5.8AI score0.0024EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.10 views

Hoppscotch 访问控制错误漏洞

Hoppscotch is an open-source API development ecosystem created by Hoppscotch. Versions of Hoppscotch from 2026.2.0 to 2026.4.0 contained a access control vulnerability. This vulnerability stemmed from the GET /v1/onboarding/config endpoint, which still exposed all infrastructure secrets in plain...

7.5CVSS5.8AI score0.0024EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/03 11:2 p.m.7 views

CVE-2026-34932

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0...

9.3CVSS5.8AI score0.00288EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/03 11:1 p.m.4 views

CVE-2026-34931

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0...

9.6CVSS5.8AI score0.00373EPSS
Exploits1References1
NVD
NVD
added 2026/04/02 8:16 p.m.7 views

CVE-2026-34932

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0...

9.3CVSS0.00288EPSS
Exploits0References2
NVD
NVD
added 2026/04/02 8:16 p.m.13 views

CVE-2026-34847

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in...

6.1CVSS0.00401EPSS
Exploits1References2
NVD
NVD
added 2026/04/02 8:16 p.m.8 views

CVE-2026-34931

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0...

9.6CVSS0.00373EPSS
Exploits1References2
CVE
CVE
added 2026/04/02 7:21 p.m.14 views

CVE-2026-34931

CVE-2026-34931 affects Hoppscotch (open source API development ecosystem). Prior to version 2026.3.0 there is an open redirect vulnerability that leads to token exfiltration. With stolen tokens, an attacker could sign in as the victim and take over their account. The issue is patched in version 2...

9.6CVSS5.8AI score0.00373EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder