Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

hoppscotch — Vulnerabilities & Security Advisories 13

Browse all 13 CVE security advisories affecting hoppscotch. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Hoppscotch serves as an API development and testing tool, allowing developers to construct and send HTTP requests. Historically, it has been susceptible to multiple remote code execution vulnerabilities, cross-site scripting flaws, and privilege escalation issues, accounting for its 13 recorded CVEs. Notable security characteristics include its client-side nature, which limits some attack surfaces, though vulnerabilities have often stemmed from improper input validation and insecure default configurations. While no major public security incidents have been widely documented, the consistent discovery of RCE and XSS vulnerabilities in its versions highlights ongoing security challenges that require careful implementation and regular updates.

Top products by hoppscotch: hoppscotch hoppscotch/hoppscotch hoppscotch-extension
CVE IDTitleCVSSSeverityPublished
CVE-2026-34931 hoppscotch: Improper loopback redirect_uri validation in device-login flow — hoppscotchCWE-601 6.1AIMediumAI2026-04-02
CVE-2026-34848 hoppscotch: Stored XSS in team member overflow tooltip via display name — hoppscotchCWE-79 5.4 Medium2026-04-02
CVE-2026-34932 hoppscotch: Stored XSS via mock server responses on backend origin — hoppscotchCWE-79 8.1AIHighAI2026-04-02
CVE-2026-34847 hoppscotch: Open redirect via `/enter?redirect=` — hoppscotchCWE-601 4.7 Medium2026-04-02
CVE-2026-30825 hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token — hoppscotchCWE-639--2026-03-07
CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections — hoppscotchCWE-862 6.5 Medium2026-02-26
CVE-2026-28216 hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment — hoppscotchCWE-639 8.3 High2026-02-26
CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover — hoppscotchCWE-284 9.1 Critical2026-02-26
CVE-2024-34714 Hoppscotch Extension responds to calls made by origins not in the domain list — hoppscotch-extensionCWE-354 7.6 High2024-05-14
CVE-2024-34347 @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE — hoppscotchCWE-77 8.4 High2024-05-08
CVE-2024-27092 Content spoofing - real Hoppscotch emails — hoppscotchCWE-20 5.4 Medium2024-02-26
CVE-2023-34097 Database password exposed in logs in hoppscotch — hoppscotchCWE-532 7.8 High2023-06-05
CVE-2022-0121 Cross-site Scripting in hoppscotch/hoppscotch — hoppscotch/hoppscotchCWE-79 8.0 High2022-01-06

This page lists every published CVE security advisory associated with hoppscotch. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.