{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34847", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.285Z", "datePublished": "2026-04-02T19:19:05.703Z", "dateUpdated": "2026-04-03T15:39:17.767Z"}, "containers": {"cna": {"title": "hoppscotch: Open redirect via `/enter?redirect=`", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q"}, {"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"version": "< 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:19:05.703Z"}, "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0."}], "source": {"advisory": "GHSA-27pm-c9ch-746q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:39:08.489999Z", "id": "CVE-2026-34847", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:39:17.767Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34847", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T15:39:08.489999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:39:13.617Z"}}], "cna": {"title": "hoppscotch: Open redirect via `/enter?redirect=`", "source": {"advisory": "GHSA-27pm-c9ch-746q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"status": "affected", "version": "< 2026.3.0"}]}], "references": [{"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q", "name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:19:05.703Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34847", "state": "PUBLISHED", "dateUpdated": "2026-04-03T15:39:17.767Z", "dateReserved": "2026-03-30T20:52:53.285Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T19:19:05.703Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FF217CC-EE39-4462-91B1-AA13EDECFF36", "versionEndExcluding": "2026.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0."}], "id": "CVE-2026-34847", "lastModified": "2026-04-15T17:27:18.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T20:16:28.520", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "hoppscotch", "source": "cna", "vendor": "hoppscotch"}, "product": "hoppscotch", "vendor": "hoppscotch"}], "analysis": {"en": {"generated_at": "2026-04-02T22:19:10.674541+00:00", "value": {"mitigation_remediation": ["Update hoppscotch to version 2026.3.0 or newer.", "If an upgrade is not immediately feasible, restrict access to the /enter route or implement input validation to block redirection to external sites.", "Review inbound URLs for redirection parameters and add server\u2011side whitelist checks if possible."], "summary": {"action": "Apply Patch", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "The issue affects hoppscotch, the open\u2011source API development ecosystem. Any release prior to version 2026.3.0 is susceptible. The fix is implemented in version 2026.3.0 and later. Users must verify the exact version of the deployed instance and upgrade accordingly.", "description_and_impact": "A DOM\u2011based open redirect was discovered on the /enter route of hoppscotch. The page uses the redirect query string value directly to set the location header without validation. An attacker can supply any URL, causing the victim\u2019s browser to navigate to a malicious site. The vulnerability falls under CWE\u2011601. While it does not grant code execution or direct data exposure, it enables phishing, delivery of malware, and other social engineering attacks. The CVSS score of 4.7 indicates a moderate risk to users.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.7; the EPSS metric is not available and it is not listed in the CISA KEV catalog. Exploitation requires an attacker to construct a malicious URL to the /enter endpoint, which users may click or be redirected to by another site. Thus the attack vector is mainly web\u2011based and user\u2011initiated, with a low likelihood of widespread automated exploitation without social\u2011engineering cues."}}}}, "created": "2026-04-03T07:31:25.327860+00:00", "updated": "2026-04-03T09:16:20.877723+00:00", "vendors": ["hoppscotch", "hoppscotch$PRODUCT$hoppscotch"]}