Lucene search
K

10 matches found

Cvelist
Cvelist
added yesterday19 views

CVE-2026-50160 Mass Assignment via Onboarding Endpoint Allows Unauthenticated JWT_SECRET Overwrite

Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extr...

10CVSS0.00061EPSS
Exploits0References2
NVD
NVD
added 2026/05/13 10:16 p.m.18 views

CVE-2026-44478

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config sti...

7.5CVSS0.0024EPSS
Exploits0References1
CVE
CVE
added 2026/05/13 9:47 p.m.21 views

CVE-2026-44478

CVE-2026-44478 concerns Hoppscotch, an open source API development ecosystem. The vulnerability chain involves an unauthenticated POST to /v1/onboarding/config that, prior to 2026.2.0, allowed overwriting the infrastructure configuration without verifying onboarding completion, potentially compro...

7.5CVSS5.8AI score0.0024EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/13 9:47 p.m.7 views

CVE-2026-44478

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config sti...

9.1CVSS5.8AI score0.00455EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.10 views

Hoppscotch 访问控制错误漏洞

Hoppscotch is an open-source API development ecosystem created by Hoppscotch. Versions of Hoppscotch from 2026.2.0 to 2026.4.0 contained a access control vulnerability. This vulnerability stemmed from the GET /v1/onboarding/config endpoint, which still exposed all infrastructure secrets in plain...

7.5CVSS5.8AI score0.0024EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.12 views

PT-2026-40829

Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.4.0 Description An information disclosure issue exists where the 'GET /v1/onboarding/config' endpoint leaks infrastructure secrets in plaintext to unauthenticated users. This occurs specifically when the...

7.5CVSS5.8AI score0.0024EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/02/26 10:34 p.m.24 views

CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request wi...

9.1CVSS0.00455EPSS
Exploits1References2
CVE
CVE
added 2026/02/26 10:34 p.m.14 views

CVE-2026-28215

CVE-2026-28215 affects Hoppscotch (self-hosted) prior to 2026.2.0. The unauthenticated endpoint POST /v1/onboarding/config has no guards and can overwrite the infrastructure configuration, including OAuth provider credentials and SMTP settings, by a single HTTP POST. Successful exploitation allow...

9.1CVSS5.7AI score0.00455EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/26 10:34 p.m.3 views

CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request wi...

9.1CVSS6AI score0.00455EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.9 views

PT-2026-22210

Name of the Vulnerable Software and Affected Versions Hoppscotch versions prior to 2026.2.0 Description Hoppscotch, an API development ecosystem, had a critical security issue where an unauthenticated attacker could overwrite the entire infrastructure configuration of a self-hosted instance. This...

9.1CVSS6AI score0.00455EPSS
Exploits1References12
Rows per page
Query Builder